Calico key and path prefixes
This document does not apply to operator installations of Calico.
The paths listed here are the key or path prefixes that a particular Calico component needs access to in etcd to function successfully.
note
The path prefixes listed here may change in the future and at that point anything referencing them (like etcd roles) would need to be updated appropriately.
calico/node
| Path | Access |
|---|
| /calico/felix/v1/ | RW |
| /calico/felix/v2/ | RW |
| /calico/ipam/v2/ | RW |
| /calico/resources/v3/projectcalico.org/felixconfigurations/ | RW |
| /calico/resources/v3/projectcalico.org/nodes/ | RW |
| /calico/resources/v3/projectcalico.org/workloadendpoints/ | RW |
| /calico/resources/v3/projectcalico.org/clusterinformations/ | RW |
| /calico/resources/v3/projectcalico.org/ippools/ | RW |
| /calico/resources/v3/projectcalico.org/* | R |
Felix as a stand alone process
| Path | Access |
|---|
| /calico/felix/v1/ | RW |
| /calico/felix/v2/ | RW |
| /calico/resources/v3/projectcalico.org/* | R |
CNI-plugin
| Path | Access |
|---|
| /calico/ipam/v2/ | RW |
| /calico/resources/v3/projectcalico.org/workloadendpoints/ | RW |
| /calico/resources/v3/projectcalico.org/ippools/ | R |
| /calico/resources/v3/projectcalico.org/clusterinformations/ | R |
| /calico/resources/v3/projectcalico.org/nodes/* | R |
calico/kube-controllers
| Path | Access |
|---|
| /calico/ipam/v2/ | RW |
| /calico/resources/v3/projectcalico.org/profiles/ | RW |
| /calico/resources/v3/projectcalico.org/networkpolicies/ | RW |
| /calico/resources/v3/projectcalico.org/nodes/ | RW |
| /calico/resources/v3/projectcalico.org/clusterinformations/ | RW |
| /calico/resources/v3/projectcalico.org/hostendpoints/ | RW |
| /calico/resources/v3/projectcalico.org/kubecontrollersconfigurations/ | RW |
| /calico/resources/v3/projectcalico.org/ | R |
note
By default, calico/kube-controllers performs periodic compaction of the etcd data store. If you limit it to just these paths it will be unauthorized to perform this compaction, as that operation requires root privileges on the etcd cluster. You should configure auto-compaction on your etcd cluster and disable calico/kube-controllers periodic compaction.
OpenStack Calico driver for Neutron
| Path | Access |
|---|
| /calico/resources/v3/projectcalico.org/ | RW |
| /calico/dhcp/v1/ | RW |
| /calico/dhcp/v2/ | RW |
| /calico/compaction/v1/ | RW |
| /calico/openstack/v1/ | RW |
| /calico/openstack/v2/ | RW |
| /calico/felix/v1/ | R |
| /calico/felix/v2/ | R |
OpenStack Calico DHCP agent
| Path | Access |
|---|
| /calico/resources/v3/projectcalico.org/ | R |
| /calico/dhcp/v1/ | R |
| /calico/dhcp/v2/* | R |
calicoctl (read only access)
| Path | Access |
|---|
| /calico/ipam/v2/ | R |
| /calico/resources/v3/projectcalico.org/ | R |
calicoctl (policy editor access)
| Path | Access |
|---|
| /calico/ipam/v2/ | R |
| /calico/resources/v3/projectcalico.org/ | R |
| /calico/resources/v3/projectcalico.org/globalnetworkpolicies/ | RW |
| /calico/resources/v3/projectcalico.org/globalnetworksets/ | RW |
| /calico/resources/v3/projectcalico.org/networkpolicies/ | RW |
| /calico/resources/v3/projectcalico.org/networksets/ | RW |
| /calico/resources/v3/projectcalico.org/profiles/* | RW |
calicoctl (full read/write access)
| Path | Access |
|---|
| /calico/ipam/v2/ | RW |
| /calico/resources/v3/projectcalico.org/ | RW |
我的书签
添加书签
移除书签
