Linkerd2: 2.7.1 web dashboard - tap service health status issue

Bug Report

What is the issue?

The health check in the "control plane" section of the LinkerD dashboard reports the following error/warning about the tap API service. The dashboard is running behind an NGINX proxy in a Kubernetes 1.16.5 cluster.

! tap api service is running

apiservices.apiregistration.k8s.io "v1alpha1.tap.linkerd.io" is forbidden: User "system:serviceaccount:linkerd:linkerd-web" cannot get resource "apiservices" in API group "apiregistration.k8s.io" at the cluster scope

see https://linkerd.io/checks/#l5d-tap-api for hints

The recommended URL does not seem to provide anything useful for that situation.

The tap tool is working from the dashboard.

How can it be reproduced?

By clicking "RUN LINKERD CHECK" in the Control Plane of the dashboard.

Logs, error output, etc

The only errors I can see are inside the linkerd tap pods. They happen when you stop the the "tap" tool. I replaced the actual IPs with zeros.

time="2020-04-14T20:48:10Z" level=error msg="[0.0.0.0] encountered an error: rpc error: code = Canceled desc = con
text canceled"
time="2020-04-14T20:48:10Z" level=error msg="[0.0.0.0] encountered an error: rpc error: code = Canceled desc = cont
ext canceled"

linkerd check output

If I run "linkerd check" from my PC, it does not report any security errors:

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-identity
----------------
√ certificate config is valid
√ trust roots are using supported crypto algorithm
√ trust roots are within their validity period
√ trust roots are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust root

linkerd-api
-----------
√ control plane pods are ready
√ control plane self-check
√ [kubernetes] control plane can talk to Kubernetes
√ [prometheus] control plane can talk to Prometheus
√ tap api service is running

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ control plane is up-to-date
√ control plane and cli versions match

Status check results are √

Environment

• Kubernetes Version: 1,16.5
• Cluster Environment: AKS
• Host OS: Ubuntu LTS 16.04
• Linkerd version: 2.7.1

Possible solution

Additional context