离线高可用安装rancher时无法启动

Rancher 2.x
, ,
1

Rancher Server 设置

  • Rancher 版本:2.13.0
  • 安装选项 (Helm Chart):
    • 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:K3S v1.34.2+k3s1
  • 在线或离线部署:

下游集群信息

  • Kubernetes 版本: K3S v1.34.2+k3s1
  • Cluster Type (Local/Downstream): Local

用户信息

  • 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):管理员

主机操作系统:openEuler20.03SP4

问题描述:
通过certmanager使用自签名证书安装时,报错无法正常启动

重现步骤:

helm template rancher ./rancher-2.13.0.tgz --output-dir .     --namespace cattle-system     --set hostname=xxx.xxx.com         --set ingress.tls.source=rancher     --set rancherImage=192.168.22.214:5000/rancher/rancher --set systemDefaultRegistry=192.168.22.214:5000 --set useBundledSystemChart=true --set rancherImageTag=v2.13.0  --set replicas=1 
kubectl create namespace cattle-system
kubectl apply -R -f ./rancher

结果:
报错
[FATAL] clusters.management.cattle.io is forbidden: User “system:serviceaccount:default:rancher” cannot list resource “clusters” in API group “management.cattle.io” at the cluster scope

其他上下文信息:

日志 
[root@fzdt03 rancher-2.13.0]# kubectl logs -f rancher-7f6b566b89-4tq72
Restoring git repositories:
- /var/lib/rancher-data/local-catalogs/v2/rancher-charts/4b40cac650031b74776e87c1a726b0484d0877c3ec137da0872547ff9b73a721/.git
Your branch is up to date with 'origin/release-v2.13'.
/var/lib/rancher
- /var/lib/rancher-data/local-catalogs/v2/rancher-rke2-charts/675f1b63a0a83905972dcab2794479ed599a6f41b86cd6193d69472d0fa889c9/.git
Your branch is up to date with 'origin/main'.
/var/lib/rancher
- /var/lib/rancher-data/local-catalogs/v2/rancher-partner-charts/8f17acdce9bffd6e05a58a3798840e408c4ea71783381ecd2e9af30baad65974/.git
Your branch is up to date with 'origin/main'.
/var/lib/rancher
2026/01/16 02:21:49 [INFO] Rancher version v2.13.0 (f94ac947f75e312f1ab9217d21b2770b48b734c8) is starting
2026/01/16 02:21:49 [INFO] Rancher arguments {ACMEDomains:[] AddLocal:true Embedded:false BindHost: HTTPListenPort:80 HTTPSListenPort:443 K8sMode:auto Debug:false Trace:false NoCACerts:false AuditLogPath:/var/log/auditlog/rancher-api-audit.log AuditLogMaxage:10 AuditLogMaxsize:100 AuditLogMaxbackup:10 AuditLogLevel:0 AuditLogEnabled:false Features: ClusterRegistry: AggregationRegistrationTimeout:5m0s}
2026/01/16 02:21:49 [INFO] Listening on /tmp/log.sock
2026/01/16 02:21:49 [FATAL] clusters.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot list resource "clusters" in API group "management.cattle.io" at the cluster scope