It looks like the health-check endpoints are not allowed by an unauthorized user by default so we could use a port based status check for the time being.
https://kubernetes.io/docs/reference/access-authn-authz/_print/#other-component-roles
> Allows read access to control-plane monitoring endpoints (i.e.
> kube-apiserver liveness and readiness endpoints (/healthz, /livez,
> /readyz), the individual health-check endpoints (/healthz/*, /livez/*,
> /readyz/*), and /metrics). Note that individual health check endpoints
> and the metric endpoint may expose sensitive information.
$ kubectl get --raw='/livez'
ok
$ kubectl get --raw='/livez?verbose'
[+]ping ok
[+]log ok
[+]etcd ok
[+]poststarthook/start-kube-apiserver-admission-initializer ok
[+]poststarthook/generic-apiserver-start-informers ok
[+]poststarthook/priority-and-fairness-config-consumer ok
[+]poststarthook/priority-and-fairness-filter ok
[+]poststarthook/start-apiextensions-informers ok
[+]poststarthook/start-apiextensions-controllers ok
[+]poststarthook/crd-informer-synced ok
[+]poststarthook/bootstrap-controller ok
[+]poststarthook/rbac/bootstrap-roles ok
[+]poststarthook/scheduling/bootstrap-system-priority-classes ok
[+]poststarthook/priority-and-fairness-config-producer ok
[+]poststarthook/start-cluster-authentication-info-controller ok
[+]poststarthook/aggregator-reload-proxy-client-cert ok
[+]poststarthook/start-kube-aggregator-informers ok
[+]poststarthook/apiservice-registration-controller ok
[+]poststarthook/apiservice-status-available-controller ok
[+]poststarthook/kube-apiserver-autoregistration ok
[+]autoregister-completion ok
[+]poststarthook/apiservice-openapi-controller ok
livez check passed
It looks like the health-check endpoints are not allowed by an unauthorized user by default so we could use a port based status check for the time being.
https:/ /kubernetes. io/docs/ reference/ access- authn-authz/ _print/ #other- component- roles
> Allows read access to control-plane monitoring endpoints (i.e.
> kube-apiserver liveness and readiness endpoints (/healthz, /livez,
> /readyz), the individual health-check endpoints (/healthz/*, /livez/*,
> /readyz/*), and /metrics). Note that individual health check endpoints
> and the metric endpoint may expose sensitive information.
$ kubectl get --raw='/livez'
ok
$ kubectl get --raw=' /livez? verbose' k/start- kube-apiserver- admission- initializer ok k/generic- apiserver- start-informers ok k/priority- and-fairness- config- consumer ok k/priority- and-fairness- filter ok k/start- apiextensions- informers ok k/start- apiextensions- controllers ok k/crd-informer- synced ok k/bootstrap- controller ok k/rbac/ bootstrap- roles ok k/scheduling/ bootstrap- system- priority- classes ok k/priority- and-fairness- config- producer ok k/start- cluster- authentication- info-controller ok k/aggregator- reload- proxy-client- cert ok k/start- kube-aggregator -informers ok k/apiservice- registration- controller ok k/apiservice- status- available- controller ok k/kube- apiserver- autoregistratio n ok -completion ok k/apiservice- openapi- controller ok
[+]ping ok
[+]log ok
[+]etcd ok
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]poststarthoo
[+]autoregister
[+]poststarthoo
livez check passed
$ curl -ks https:/ /192.168. 151.76: 6443/livez
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}