导入阿里云ack集群卡住Cluster agent is not connected

hong · 2026 年1 月 28 日 07:48

Rancher Server 设置

Rancher 版本：2.11.3
安装选项 (Docker install/Helm Chart): Docker install
在线或离线部署：离线部署

下游集群信息

Kubernetes 版本: 阿里云ack v1.30.1（arm64架构）
Cluster Type (Local/Downstream):
- 如果 Downstream，是什么类型的集群?(自定义/导入或为托管等): 导入

用户信息

登录用户的角色是什么？（管理员/集群所有者/集群成员/项目所有者/项目成员/自定义）：管理员
- 如果自定义，自定义权限集：管理员

主机操作系统： aliyun linux 3 x86架构

问题描述： 导入阿里云ack一直是waiting状态，状况里面显示：[Disconnected] cluster agent is not connected.
查看cattle-cluster-agent的状态是running，无异常

重现步骤： 在离线环境下，使用docker 部署单机版rancher，之后导入专有云 ack集群v1.30（arm64架构）

**结果：**导入卡住

**预期结果：**导入成功

截图：

其他上下文信息：

日志

[root@master134 ~]# curl --insecure -sfL https://41.xxx.109:8443/v3/import/9gr6cfvlg5ktt7cmjm6gz99hj57t98p2rvd2w562s7dk8xjnlb9vxh_c-fwngn.yaml | kubectl apply -f -
clusterrole.rbac.authorization.k8s.io/proxy-clusterrole-kubeapiserver unchanged
clusterrolebinding.rbac.authorization.k8s.io/proxy-role-binding-kubernetes-master unchanged
namespace/cattle-system unchanged
serviceaccount/cattle unchanged
clusterrolebinding.rbac.authorization.k8s.io/cattle-admin-binding unchanged
secret/cattle-credentials-e3a8109495 created
clusterrole.rbac.authorization.k8s.io/cattle-admin unchanged
Warning: spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key: beta.kubernetes.io/os is deprecated since v1.14; use "kubernetes.io/os" instead
deployment.apps/cattle-cluster-agent created
service/cattle-cluster-agent created
[root@master134 ~]# 

[root@master134 ~]# kubectl logs -n cattle-system cattle-cluster-agent-7788d764f6-vh28z
INFO: Environment: CATTLE_ADDRESS=172.20.1.7 CATTLE_CA_CHECKSUM=9020bcd7bff965575f5be0278becf8763c55db9adf84fb4091c1f197bca3acd4 CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://172.21.3.166:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://172.21.3.166:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=172.21.3.166 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://172.21.3.166:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=172.21.3.166 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=172.21.3.166 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_CREDENTIAL_NAME=cattle-credentials-e3a8109495 CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=1f98a8c6-3af6-4277-a3f0-b79f8c13ed35 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-7788d764f6-vh28z CATTLE_RANCHER_PROVISIONING_CAPI_VERSION=106.0.0+up0.7.0 CATTLE_RANCHER_WEBHOOK_VERSION=106.0.3+up0.7.3 CATTLE_SERVER=https://41.xxx.xx.109:8443 CATTLE_SERVER_VERSION=v2.11.3
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local nameserver 172.21.0.10 options ndots:5
INFO: https://41.xxx.109:8443/ping is accessible
INFO: Value from https://41.xxx.109:8443/v3/settings/cacerts is an x509 certificate
time="2026-01-28T06:34:08Z" level=info msg="starting cattle-credential-cleanup goroutine in the background"
time="2026-01-28T06:34:08Z" level=info msg="Listening on /tmp/log.sock"
time="2026-01-28T06:34:08Z" level=info msg="Rancher agent version v2.11.3 is starting"
time="2026-01-28T06:34:08Z" level=info msg="Testing connection to https://41.xxx.109:8443 using trusted certificate authorities within: /etc/kubernetes/ssl/certs/serverca"
time="2026-01-28T06:34:08Z" level=info msg="Connecting to wss://41.xxx.109:8443/v3/connect/register with token starting with 9gr6cfvlg5ktt7cmjm6gz99hj57"
time="2026-01-28T06:34:08Z" level=info msg="Connecting to proxy" url="wss://41.xxx.109:8443/v3/connect/register"
[root@master134 ~]#

Rancher server 日志
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Creating namespace c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Creating Default project for cluster c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Creating namespace p-p5m2t
2026/01/28 06:20:23 [ERROR] defaultSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=c-fwngn, err=Operation cannot be fulfilled on namespaces "c-fwngn": the object has been modified; please apply your changes to the latest version and try again
2026/01/28 06:20:23 [ERROR] defaultSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=c-fwngn, err=Operation cannot be fulfilled on namespaces "c-fwngn": the object has been modified; please apply your changes to the latest version and try again
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Creating creator projectRoleTemplateBinding for user user-j9xkz for project p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Creating System project for cluster c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Setting InitialRolesPopulated condition on project p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Creating namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Updating cluster c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role/clusterRole p-p5m2t-projectowner
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Updating project p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Creating creator clusterRoleTemplateBinding for user user-j9xkz for cluster c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating roleBinding for membership in project p-p5m2t for subject user-j9xkz
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role/clusterRole c-fwngn-clustermember
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Updating project p-p5m2t
2026/01/28 06:20:23 [ERROR] defaultSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=p-p5m2t, err=Operation cannot be fulfilled on namespaces "p-p5m2t": the object has been modified; please apply your changes to the latest version and try again
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating clusterRoleBinding for membership in cluster c-fwngn for subject user-j9xkz
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating role/clusterRole c-fwngn-clusterowner
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Setting InitialRolesPopulated condition on cluster c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Updating cluster c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating clusterRoleBinding for membership in cluster c-fwngn for subject user-j9xkz
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role project-owner in namespace p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating role cluster-owner in namespace c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role admin in namespace p-p5m2t
2026/01/28 06:20:23 [ERROR] defaultSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=p-p5m2t, err=Operation cannot be fulfilled on namespaces "p-p5m2t": the object has been modified; please apply your changes to the latest version and try again
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating roleBinding for subject user-j9xkz with role project-owner in namespace p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating roleBinding for subject user-j9xkz with role cluster-owner in namespace c-fwngn
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating roleBinding for subject user-j9xkz with role admin in namespace p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating role cluster-owner in namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Creating creator projectRoleTemplateBinding for user user-j9xkz for project p-x2qs5
2026/01/28 06:20:23 [ERROR] defaultSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=p-p5m2t, err=Operation cannot be fulfilled on namespaces "p-p5m2t": the object has been modified; please apply your changes to the latest version and try again
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating roleBinding for subject user-j9xkz with role cluster-owner in namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Setting InitialRolesPopulated condition on project p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating role cluster-owner in namespace p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-auth-crtb-controller] Creating roleBinding for subject user-j9xkz with role cluster-owner in namespace p-p5m2t
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Updating project p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role/clusterRole p-x2qs5-projectowner
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating roleBinding for membership in project p-x2qs5 for subject user-j9xkz
2026/01/28 06:20:23 [ERROR] defaultSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=p-x2qs5, err=Operation cannot be fulfilled on namespaces "p-x2qs5": the object has been modified; please apply your changes to the latest version and try again
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Updating clusterRoleBinding crb-dva67fygvv for cluster membership in cluster c-fwngn for subject user-j9xkz
2026/01/28 06:20:23 [INFO] [mgmt-project-rbac-create] Updating project p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role project-owner in namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating role admin in namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating roleBinding for subject user-j9xkz with role project-owner in namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-auth-prtb-controller] Creating roleBinding for subject user-j9xkz with role admin in namespace p-x2qs5
2026/01/28 06:20:23 [INFO] [mgmt-cluster-rbac-delete] Updating cluster c-fwngn
2026/01/28 06:20:25 [ERROR] 2026/01/28 06:20:25 http: TLS handshake error from 41.192.60.193:58837: remote error: tls: unknown certificate
2026/01/28 06:20:27 [INFO] RDPClient: Checking if dialer is built...
2026/01/28 06:20:27 [INFO] RDPClient: Dialer is not built yet, waiting 5 secs to re-check.
2026/01/28 06:34:08 [INFO] Handling backend connection request [c-fwngn]
2026/01/28 06:34:08 [INFO] Starting cluster controllers for c-fwngn
2026/01/28 06:34:08 [INFO] Starting /v1, Kind=LimitRange controller
2026/01/28 06:34:08 [INFO] Starting apiregistration.k8s.io/v1, Kind=APIService controller
2026/01/28 06:34:08 [INFO] Starting rbac.authorization.k8s.io/v1, Kind=RoleBinding controller
2026/01/28 06:34:08 [INFO] Starting /v1, Kind=ServiceAccount controller
2026/01/28 06:34:08 [INFO] Starting cluster agent for c-fwngn [owner=true]
2026/01/28 06:34:08 [INFO] Starting /v1, Kind=Secret controller
2026/01/28 06:34:08 [INFO] Creating clusterRoleBinding for project access to global resource for subject user-j9xkz role create-ns.
2026/01/28 06:34:08 [INFO] Starting rbac.authorization.k8s.io/v1, Kind=Role controller
2026/01/28 06:34:08 [INFO] Starting /v1, Kind=Namespace controller
2026/01/28 06:34:08 [WARNING] Namespace cattle-impersonation-system references project p-xmwlf in namespace c-kp6dw which does not exist
2026/01/28 06:34:08 [WARNING] Namespace cattle-system references project p-xmwlf in namespace c-kp6dw which does not exist
2026/01/28 06:34:08 [WARNING] Namespace default references project p-jswdk in namespace c-kp6dw which does not exist
2026/01/28 06:34:08 [WARNING] Namespace kube-node-lease references project p-xmwlf in namespace c-kp6dw which does not exist
2026/01/28 06:34:08 [WARNING] Namespace kube-public references project p-xmwlf in namespace c-kp6dw which does not exist
2026/01/28 06:34:08 [WARNING] Namespace kube-system references project p-xmwlf in namespace c-kp6dw which does not exist
2026/01/28 06:34:08 [INFO] Starting rbac.authorization.k8s.io/v1, Kind=ClusterRole controller
2026/01/28 06:34:08 [INFO] Starting rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding controller
2026/01/28 06:34:08 [INFO] Starting /v1, Kind=ResourceQuota controller
2026/01/28 06:34:08 [INFO] Starting /v1, Kind=Node controller
2026/01/28 06:34:08 [INFO] Creating clusterRoleBinding for project access to global resource for subject user-j9xkz role p-p5m2t-namespaces-edit.
2026/01/28 06:34:08 [INFO] Creating clusterRoleBinding User user-j9xkz Role cluster-owner
2026/01/28 06:34:08 [INFO] Creating clusterRoleBinding User user-j9xkz Role cluster-owner
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.142]
2026/01/28 06:34:08 [INFO] Creating clusterRoleBinding for project access to global resource for subject user-j9xkz role project-owner-promoted.
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.146]
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.134]
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.139]
2026/01/28 06:34:08 [INFO] Updating clusterRoleBinding crb-pi6csovahb for project access to global resource for subject user-j9xkz role create-ns.
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.138]
2026/01/28 06:34:08 [INFO] Creating clusterRoleBinding for project access to global resource for subject user-j9xkz role p-x2qs5-namespaces-edit.
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.145]
2026/01/28 06:34:08 [INFO] Updating clusterRoleBinding crb-ocpmvitgli for project access to global resource for subject user-j9xkz role project-owner-promoted.
2026/01/28 06:34:08 [INFO] Creating user for principal system://c-fwngn
2026/01/28 06:34:08 [INFO] EnsureSecretForServiceAccount: waiting for secret [cattle-impersonation-system:cattle-impersonation-user-j9xkz-token-29jtv] for service account [cattle-impersonation-system:cattle-impersonation-user-j9xkz] to be populated with token
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.135]
2026/01/28 06:34:08 [INFO] Rolling back ServiceAccount secret for [cattle-impersonation-system:cattle-impersonation-user-j9xkz-token-klp5j]
2026/01/28 06:34:08 [INFO] EnsureSecretForServiceAccount: got the service account token for service account [cattle-impersonation-system:cattle-impersonation-user-j9xkz] in 25.652288ms
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.143]
2026/01/28 06:34:08 [INFO] Creating globalRoleBindings for u-f55ehztxhk
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.144]
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.136]
2026/01/28 06:34:08 [INFO] Creating new GlobalRoleBinding for GlobalRoleBinding grb-2q5br
2026/01/28 06:34:08 [INFO] [mgmt-auth-grb-controller] Creating clusterRoleBinding for globalRoleBinding grb-2q5br for user u-f55ehztxhk with role cattle-globalrole-user
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.140]
2026/01/28 06:34:08 [INFO] Created machine for node [cn-zhejiang-zjsgat-d01.41.194.38.141]
2026/01/28 06:34:08 [INFO] Creating system token for u-f55ehztxhk, token: agent-u-f55ehztxhk
2026/01/28 06:34:08 [INFO] [mgmt-auth-crtb-controller] Creating clusterRoleBinding for membership in cluster c-fwngn for subject u-f55ehztxhk
2026/01/28 06:34:08 [INFO] [mgmt-auth-crtb-controller] Creating roleBinding for subject u-f55ehztxhk with role cluster-owner in namespace c-fwngn
2026/01/28 06:34:08 [INFO] [mgmt-auth-crtb-controller] Creating roleBinding for subject u-f55ehztxhk with role cluster-owner in namespace p-p5m2t
2026/01/28 06:34:09 [INFO] [mgmt-auth-crtb-controller] Creating roleBinding for subject u-f55ehztxhk with role cluster-owner in namespace p-x2qs5
2026/01/28 06:34:09 [INFO] EnsureSecretForServiceAccount: waiting for secret [cattle-impersonation-system:cattle-impersonation-u-f55ehztxhk-token-gnfgg] for service account [cattle-impersonation-system:cattle-impersonation-u-f55ehztxhk] to be populated with token
2026/01/28 06:34:09 [INFO] EnsureSecretForServiceAccount: got the service account token for service account [cattle-impersonation-system:cattle-impersonation-u-f55ehztxhk] in 5.065641ms
2026/01/28 06:34:09 [INFO] Creating clusterRoleBinding User u-f55ehztxhk Role cluster-owner
2026/01/28 06:34:12 [INFO] RDPClient: Checking if dialer is built...
2026/01/28 06:34:12 [INFO] RDPClient: Dialer is not built yet, waiting 5 secs to re-check.

hong · 2026 年1 月 29 日 02:55

请忽略，是k8s集群的出口安全组没有开