I enabled ACE on downward cluster from my rancher, but when I try to connect to the cluster, I get error indicating that I need to be logged in. When I looked at cattle-impersonation-system namespace in downstream cluster, I see only the project owner service account is configured. Is there a way configure other users configured in rancher cluster to access the downstream cluster ?

you need to get a new kubeconfig that contains a context for that cluster

Thanks. I copied the kubeconfig for the downstream cluster using rancher UI and I get the same error. Is there a way to sync the users from rancher to downstream cluster ?

1. what kind of downstream cluster is this, and how did you configure ACE? 2. you are sure that you’re using the context that points at the downstream endpoints?

The downstream cluster is RKE2. I enabled ACE by editing the yaml file. I see the context set to my downstream cluster

right so did you set a fqdn manually, or did you let it generate endpoints based on the control-plane node addresses

I didn’t set fqdn manually.

so you are using the

<CLUSTER_NAME>-<NODE_NAME>

context?

Yes

and you’ve confirmed that the webhook config file is in place on all server nodes, the configuration has been updated, and the server nodes have been restarted?

I didn’t restart all server nodes. I will try that. Thanks for the help

that is covered in the docs

I need to restart only control plane nodes right ?

you should do it on all server nodes

ok. Thanks. Appreciate your help

you need to place the webhook config file, add the apiserver arg to config.yaml, and restart the service. on all server nodes. THEN update the cluster in the rancher UI