Calico key and path prefixes in etcd v3

The paths listed here are the key or path prefixes that a particular Calico component needs access to in etcd to function successfully.

Note: The path prefixes listed here may change in the future and at that point anything referencing them (like etcd roles) would need to be updated appropriately.

calico/node

Path Access
/calico/felix/v1/* RW
/calico/ipam/v2/* RW
/calico/resources/v3/projectcalico.org/* RW

Felix as a stand alone process

Path Access
/calico/felix/v1/* RW
/calico/resources/v3/projectcalico.org/* R

CNI-plugin

Path Access
/calico/ipam/v2/* RW
/calico/resources/v3/projectcalico.org/* RW

calico/kube-controllers

Path Access
/calico/ipam/v2/* RW
/calico/resources/v3/projectcalico.org/* RW

calicoctl (read only access)

Path Access
/calico/ipam/v2/* R
/calico/resources/v3/projectcalico.org/* R

calicoctl (policy editor access)

Path Access
/calico/ipam/v2/* R
/calico/resources/v3/projectcalico.org/* R
/calico/resources/v3/projectcalico.org/globalnetworkpolicies/* RW
/calico/resources/v3/projectcalico.org/networkpolicies/* RW
/calico/resources/v3/projectcalico.org/profiles/* RW

calicoctl (full read/write access)

Path Access
/calico/ipam/v2/* RW
/calico/resources/v3/projectcalico.org/* RW