## ๐ Author
Birat Aryal โ birataryal.github.io
Created Date: 2026-02-16
Updated Date: Monday 16th February 2026 22:14:14
Website - birataryl.com.np
Repository - Birat Aryal
LinkedIn - Birat Aryal
DevSecOps Engineer | System Engineer | Cyber Security Analyst | Network Engineer
Architecture
Components
1) Management cluster (CAPI management plane)
The management cluster hosts the controllers that reconcile the desired state:
capi-controller-manager(core CAPI)capv-controller-manager(Cluster API Provider vSphere)capi-kubeadm-bootstrap-controller-managercapi-kubeadm-control-plane-controller-managercapi-ipam-in-cluster(if using InClusterIPPool / IPAddressClaims)
2) Workload cluster (your target cluster)
Provisioned by the management cluster:
- Control plane: KubeadmControlPlane (replicas: 1 in this build)
- Workers: MachineDeployment (replicas: 2 in this build)
3) vSphere objects created/consumed
- Template VM:
Alma-Clusterconfigtemplate - Folder:
/Eshare-SRVs/vm/UAT-Servers/ClusterServers - ResourcePool:
/Eshare-SRVs/host/192.168.150.16/Resources/CAPI_ClusterRP - Datastore:
R740xd-datastore1 - Network/Portgroup:
TMSNW
4) API VIP (kube-vip)
- VIP:
192.168.35.100 - DNS:
kube-api-server.uat.local -> 192.168.35.100 - Port:
6443 - Runs as a static pod on control-plane via
/etc/kubernetes/manifests/kube-vip.yaml - Uses ARP mode (
vip_arp=true) in this environment.
Traffic / reachability model
Management cluster -> Workload cluster
- CAPV controllers try to contact
https://kube-api-server.uat.local:6443 - If the VIP is not routable, controllers repeatedly log no route to host and workers wonโt join.
Workload nodes -> API VIP
- Worker kubeadm join also targets the VIP
- If the node has no default route (missing gateway), it cannot reach VIP or DNS => join fails
Failure modes that look like CAPV issues but are actually networking
- VM has an IP (from IPAM) but cannot ping gateway
ip routeshows nodefault via ...nmtuishows gateway empty- CAPV logs show
cluster is not reachable