Configuring a Calico Role for etcdv2 RBAC

Calico writes all of its data in a /calico/ directory of etcd. To function properly with etcdv2’s RBAC, it will need the following permissions:

  • R/W access to /calico
  • R/W access to /calico/*

The following example will create a role called calico-role with the necessary permissions:

$ etcdctl role add calico-role
$ etcdctl role grant calico-role -path '/calico' -readwrite
$ etcdctl role grant calico-role -path '/calico/*' -readwrite

Configuring calicoctl to use authenticated etcd access

To configure Calico to use the newly created role, each component will individually need to be supplied with the role name and password. See the relevant component configuration guide: