Comment 1 for bug 1937171

It looks like the health-check endpoints are not allowed by an unauthorized user by default so we could use a port based status check for the time being.

https://kubernetes.io/docs/reference/access-authn-authz/_print/#other-component-roles
> Allows read access to control-plane monitoring endpoints (i.e.
> kube-apiserver liveness and readiness endpoints (/healthz, /livez,
> /readyz), the individual health-check endpoints (/healthz/*, /livez/*,
> /readyz/*), and /metrics). Note that individual health check endpoints
> and the metric endpoint may expose sensitive information.

$ kubectl get --raw='/livez'
ok

$ kubectl get --raw='/livez?verbose'
[+]ping ok
[+]log ok
[+]etcd ok
[+]poststarthook/start-kube-apiserver-admission-initializer ok
[+]poststarthook/generic-apiserver-start-informers ok
[+]poststarthook/priority-and-fairness-config-consumer ok
[+]poststarthook/priority-and-fairness-filter ok
[+]poststarthook/start-apiextensions-informers ok
[+]poststarthook/start-apiextensions-controllers ok
[+]poststarthook/crd-informer-synced ok
[+]poststarthook/bootstrap-controller ok
[+]poststarthook/rbac/bootstrap-roles ok
[+]poststarthook/scheduling/bootstrap-system-priority-classes ok
[+]poststarthook/priority-and-fairness-config-producer ok
[+]poststarthook/start-cluster-authentication-info-controller ok
[+]poststarthook/aggregator-reload-proxy-client-cert ok
[+]poststarthook/start-kube-aggregator-informers ok
[+]poststarthook/apiservice-registration-controller ok
[+]poststarthook/apiservice-status-available-controller ok
[+]poststarthook/kube-apiserver-autoregistration ok
[+]autoregister-completion ok
[+]poststarthook/apiservice-openapi-controller ok
livez check passed

$ curl -ks https://192.168.151.76:6443/livez
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}