Problem

When using a DOKS cluster with a LoadBalancer type Service, the CCM automatically manages a k8s-public-access-* firewall and adds inbound rules for the service ports (e.g. 80, 443) with source hardcoded to 0.0.0.0/0 / ::/0.

There is no way to restrict these rules to private or specific CIDRs only. Any manual changes to the firewall are reverted by the controller on the next reconcile.

Expected behavior

Allow specifying allowed source CIDRs for the auto-managed firewall inbound rules, for example via a Service annotation or a CCM environment variable — similar to how spec.loadBalancerSourceRanges works for the Load Balancer itself.

Use case

Clusters behind Cloudflare (or any CDN/proxy) should only accept traffic from the CDN IP ranges — not from the entire internet. Right now this is only possible at the Load Balancer level (spec.loadBalancerSourceRanges), but the node-level firewall stays wide open regardless.