If you want to make this scheme more safe you can add haproxy layer between keepalived and kube-apiserver.

Just install haproxy package into your system, and add the next configuration into /etc/haproxy/haproxy.cfg file:

frontend k8s-api
  bind 0.0.0.0:8443
  bind 127.0.0.1:8443
  mode tcp
  option tcplog
  default_backend k8s-api

backend k8s-api
  mode tcp
  option tcplog
  option tcp-check
  balance roundrobin
  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
  server node1 10.9.8.11:6443 check
  server node2 10.9.8.12:6443 check
  server node3 10.9.8.13:6443 check

Now you can access kubernetes api on port :8443. So this way keepalived will monitor the cluster IP, and haproxy will monitor the availability of kubernetes api-servers.

Also you have to configure timeouts for the haproxy, otherwise your kubectl exec commands will be canceled after 50 seconds

timeout client          4h
timeout server          4h

Just configure your kubelets and kubectl clients to connect on 8443 port instead 6443, and final scheme will looks like:

If we will have non working api-server on node1:

And if we will shutdown whole node:

Cheers!