I have quite a few failures when starting kube-apiserver in 1.10.11 K8s version. Its health check comes back with poststarthook/rbac/bootstrap-roles failed. Very annoyingly, for security reasons, the reason is "reason withheld" How do I know what this check is? Am I missing some permissions / bindings? I'm upgrading from 1.9.6. Release notes didn't clearly mention anything like this is required.
All the details can be accessed with a super user credential or on the unsecured port (if you are running with that enabled) at /healthz/<name-of-health-check>
The RBAC check in particular reports unhealthy until the initial startup is completed and default roles are verified to exist. Typically, no user action is required to turn the check healthy, it simply reports that the apiserver should not be added to a load balancer yet, and reports healthy after a couple seconds, once startup completes. Persistent failure usually means problems communicating with etcd (I'd expect the /healthz/etcd check to be failing in that case as well). That behavior has been present since RBAC was introduced, and is not new in 1.10