If you want to make this scheme more safe you can add haproxy layer between keepalived and kube-apiserver.
Just install haproxy package into your system, and add the next configuration into /etc/haproxy/haproxy.cfg
file:
frontend k8s-api
bind 0.0.0.0:8443
bind 127.0.0.1:8443
mode tcp
option tcplog
default_backend k8s-api
backend k8s-api
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server node1 10.9.8.11:6443 check
server node2 10.9.8.12:6443 check
server node3 10.9.8.13:6443 check
Now you can access kubernetes api on port :8443
. So this way keepalived will monitor the cluster IP, and haproxy will monitor the availability of kubernetes api-servers.
Also you have to configure timeouts for the haproxy, otherwise your kubectl exec commands will be canceled after 50 seconds
timeout client 4h
timeout server 4h
Just configure your kubelets and kubectl clients to connect on 8443 port instead 6443, and final scheme will looks like:

If we will have non working api-server on node1:

And if we will shutdown whole node:

Cheers!