Proposal: remove admin permission requirement in maintenance Status RPC #21466
Description
What would you like to be added?
PR #14663 introduced admin permission requirement on all maintenance RPCs (when auth is enabled).
I would like to remove the permission check in the Status RPC, or provide a way to disable it.
Why is this needed?
The maintenance Status RPC is used by applications to fetch some information about etcd members (etcd version, disk usage, ...).
This is notably the case in Kubernetes' API Server:
- Fetch current DB size to expose metrics: https://github.com/kubernetes/kubernetes/blob/fdc9d74cbf2da6754ebf81d56f80ae2948cd6425/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go#L271-L284
- Fetch current etcd version to verify compatibility: https://github.com/kubernetes/kubernetes/blob/fdc9d74cbf2da6754ebf81d56f80ae2948cd6425/staging/src/k8s.io/apiserver/pkg/storage/feature/feature_support_checker.go#L157-L172
Due to the changes in the previously mentioned PR, upgrading from etcd 3.5 to 3.6 will cause errors in the Kubernetes API server when etcd auth is enabled and using an etcd unprivileged user:
2026-03-06T15:02:48.342002709Z {"level":"warn","ts":"2026-03-06T15:02:48.341613Z","logger":"etcd-client","caller":"v3@v3.6.5/retry_interceptor.go:65","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000fddc20/127.0.0.1:2379","method":"/etcdserverpb.Maintenance/Status","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}
I'm not sure how the Kubernetes project can avoid using this RPC, and switching to the root user renders etcd authentication pointless.