What would you like to be added?
PR #14663 introduced admin permission requirement on all maintenance RPCs (when auth is enabled).
I would like to remove the permission check in the Status RPC, or provide a way to disable it.
Why is this needed?
The maintenance Status RPC is used by applications to fetch some information about etcd members (etcd version, disk usage, ...).
This is notably the case in Kubernetes' API Server:
Due to the changes in the previously mentioned PR, upgrading from etcd 3.5 to 3.6 will cause errors in the Kubernetes API server when etcd auth is enabled and using an etcd unprivileged user:
2026-03-06T15:02:48.342002709Z {"level":"warn","ts":"2026-03-06T15:02:48.341613Z","logger":"etcd-client","caller":"v3@v3.6.5/retry_interceptor.go:65","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000fddc20/127.0.0.1:2379","method":"/etcdserverpb.Maintenance/Status","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}
I'm not sure how the Kubernetes project can avoid using this RPC, and switching to the root user renders etcd authentication pointless.
What would you like to be added?
PR #14663 introduced admin permission requirement on all maintenance RPCs (when auth is enabled).
I would like to remove the permission check in the
StatusRPC, or provide a way to disable it.Why is this needed?
The maintenance
StatusRPC is used by applications to fetch some information about etcd members (etcd version, disk usage, ...).This is notably the case in Kubernetes' API Server:
Due to the changes in the previously mentioned PR, upgrading from etcd 3.5 to 3.6 will cause errors in the Kubernetes API server when etcd auth is enabled and using an etcd unprivileged user:
I'm not sure how the Kubernetes project can avoid using this RPC, and switching to the root user renders etcd authentication pointless.