home-server/talos/runbooks/api-vip-kube-vip.md

Runbook: Kubernetes API VIP (kube-vip)

Symptoms: kubectl timeouts, connection refused to https://192.168.50.230:6443, or nodes NotReady while apiserver on a node IP still works.

Checks

1. VIP and interface align with talos/talconfig.yaml (cluster.network, additionalApiServerCertSans) and clusters/noble/apps/kube-vip/.
2. kubectl -n kube-system get pods -l app.kubernetes.io/name=kube-vip -o wide — DaemonSet should be Running on control-plane nodes.
3. From a workstation: ping 192.168.50.230 (if ICMP allowed) and curl -k https://192.168.50.230:6443/healthz or kubectl get --raw /healthz with kubeconfig server: set to the VIP.
4. talosctl health with TALOSCONFIG (see talos/README.md §3).

Common fixes

• Wrong uplink name in kube-vip (ens18 vs actual): fix manifest, re-apply, verify on node with talosctl get links.
• Workstation routing/DNS: use VIP only when reachable; otherwise temporarily point kubeconfig server: at a control-plane IP (see README §3).