After Rancher 2.6.x upgrade, HTTP 403 Errors in Rancher UI

This document (000020710) is provided subject to the disclaimer at the end of this document.

Environment

Several features of Rancher UI don't work and return HTTP 403 for some users after Rancher upgrade from 2.6.x :
- Shell execution
- Yaml editing

Situation

For some users, several Rancher features are not working and returning HTTP 403 (Forbidden)

Rancher Trace log:

User-system-serviceaccount-cattle-impersonation-system-cattle-impersonation-u-vnds56pccy-cannot-impersonate-resource-users-in-API-group-at-the-cluster-scope-due-to-missing-clusterrolebinding

Resolution

1. Check RBAC Clusterroles and Clusterrolebindings of the affected user

## Clusterroles of the user
$ kubectl get clusterrole | grep u-b3l74guter
 
## Clusterrolebindings of the  user
$ kubectl get clusterrolebinding | grep u-b3l74guter

2. From the previous output, the expected Clusterrole cattle-impersonation-u-xxxxxxxx is present, but the Clusterrolebinding is absent.

3. Delete the cattle-impersonation-user-xxxx Clusterrole of the user

$ kubectl delete clusterrole cattle-impersonation-u-b3l74guter

4. Trigger the recreation of the Clusterrole and Clusterrolebinding by browsing to a Rancher feature.

e.g: open a Monitoring link in the cluster
This action triggered the recreation of the Clusterrole and Clusterrolebinding

Additional Information

https://github.com/rancher/rancher/issues/33912

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.