I get this error 1 in 3 times when trying any kubectl command, using a KubeConfig from rancher ui for a "downstream" rke cluster:

Error from server (InternalError): an error on the server ("unable to create impersonator account: error setting up impersonation for user user-6j58n: failed to get secret for service account: cattle-impersonation-system/cattle-impersonation-user-6j58n, error: timed out waiting for the condition") has prevented the request from succeeding (get nodes)

There's 3 nodes with "all roles", plus 1 worker. "current-context" in KubeConfig points to fqdn for rancher mgmt cluster. If I change this to point to one of the rke cluster nodes, it always works, for all 3 nodes. In "cattle-impersonation-system" ns on rke cluster exists secret "cattle-impersonation-user-6j58n-token", but not without "-token". Help? 🙂