What Do I Do If I Encounter an Exception When Creating a Private Resource Group?

Symptom

An exception occurs when you create a private resource group, and the following information is displayed:

• Label failed, check cluster status.
• nodes "xxx" is forbidden: User "xxxxxxx" cannot patch resource "nodes" in API group "" at the cluster scope

Figure 1 Exception scenario 1

Possible Causes

You are using the IAM 5.0 permission model, which offers enhanced permission control. You need to manually authorize the IAM 5.0 agency on Cloud Container Engine (CCE).

Verification

1. Click in the upper left corner of the console, and search for and click Identity and Access Management.
2. Click Go to New Console in the upper right corner. In the navigation pane of IAM, choose Agencies.
3. On the page displayed, search for perftest_admin_trust in the search box. The presence of this agency indicates that you are using the IAM 5.0 permission model.
   Figure 3 Agency
   

Solution

1. Click in the upper left corner, and search for and click Cloud Container Engine.
2. In the navigation pane, choose Permissions. In the search box, search for the cluster where the private resource group is located and click Add Permission in the upper right corner.
   Figure 4 Adding permissions
   

3. Set User/User Group to Account, search for and select perftest_admin_trust from the drop-down list, set Namespace to All namespaces, set Permission Type to Administrator, and click OK.
   Figure 5 Configuration for adding permissions
   

4. After the authorization is complete, go to the CodeArts PerfTest console, delete the resource group that fails to be created on the Resource Groups page, and create a resource group again.