I've been following the Kubernetes The Hard Way tutorial, but instead using on-prem hardware for it. I also updated to using the v1.13.2 release instead of v1.12.0, which the tutorial is based on.
A problem I've encountered is with the healthz check:
curl --cacert=/var/lib/kubernetes/ca.pem -i https://127.0.0.1:6443/healthz
The tutorial does the healthz check by having an nginx instance fronting the API server, which connects to the API server using TLS. The only reason to do this is because the GCP load balancer needs a non-TLS endpoint for the health check. I don't see why using curl directly with TLS shouldn't work. Has something changed in terms of default permissions between the v1.12.0 and v1.13.2 releases?
I see the following in the logs of the API server:
Jan 25 21:53:50 master-1 kube-apiserver[24339]: I0125 21:53:50.039624 24339 log.go:172] http: TLS handshake error from 127.0.0.1:33398: EOF
curl will just spit out the usual 401 message.