As of today we have the option to only allow access to the Kubernetes API over a private network connection.
Currently the Kubernetes API is available over the public internet. We can now configure your cluster to only be accessable over a private network or VPN connection.
For systems that can not connect easily over a VPN connection or a peering connection we can whitelist the IP to still allow access. This only works for static IPs. The IPs of the NAT gateways that we use for our automated rollouts are whitelisted by default.
You can contact your lead engineer if you want to have this configured for your cluster(s).