Currently, using the DigitalOcean Load Balancer product from the DO Kubernetes integration exposes all services to the internet.

In the K8s documentation you can specify loadBalancerSourceRanges in external load balancers to block traffic to your services from anywhere outside of your cluster, like so:

 loadBalancerSourceRanges:  - 10.0.0.0/8

This is supported on Google Compute Engine, Google Kubernetes Engine, AWS Elastic Kubernetes Service, Azure Kubernetes Service, and IBM Cloud Kubernetes Service.

This has been posted in this community question which has 12 replies, indicating that I'm not the only one who needs this for DigitalOcean's Load Balancer product to be viable with Kubernetes. Without this, if someone finds out your node IP, they can connect to your services directly which is an attack vector.

[Jun 30 2020 update: I've given up on DigitalOcean: I'm switching to Azure.]