If you want to make this scheme more safe you can add haproxy layer between keepalived and kube-apiserver.

Just install haproxy package into your system, and add the next configuration into /etc/haproxy/haproxy.cfg file:

frontend k8s-api
bind 0.0.0.0:8443
bind 127.0.0.1:8443
mode tcp
option tcplog
default_backend k8s-api

backend k8s-api
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server node1 10.9.8.11:6443 check
server node2 10.9.8.12:6443 check
server node3 10.9.8.13:6443 check

Now you can access kubernetes api on port :8443. So this way keepalived will monitor the cluster IP, and haproxy will monitor the availability of kubernetes api-servers.

Also you have to configure timeouts for the haproxy, otherwise your kubectl exec commands will be canceled after 50 seconds

timeout client          4h
timeout server 4h

Just configure your kubelets and kubectl clients to connect on 8443 port instead 6443, and final scheme will looks like:

Image for post
Image for post

If we will have non working api-server on node1:

Image for post
Image for post

And if we will shutdown whole node:

Image for post
Image for post

Cheers!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store