Add ability to limit access to k8s API

Created by: garloff

Currently, the load balancer in front of the kube-apiserver (:6443) allows connections from everywhere, so you can manage the created workload k8s cluster from anywhere (if you have a kubeconfig with the right certificate). This has some downsides:

• Cluster owners may be nervous exposing the kubeAPI to the world, "only" protected by a client certificate. In particular, the hostile world may attempt to connect, causing lots of connections and a certain load with the SSL/TLS connection setups.
• Considering to significantly prolong the timeouts until the load balancer cuts idle connections (to avoid broken internal connections, e.g. from kubelet to kubeAPI) may not be such a good idea with lots of potentially evil external connection attempts, eating resources at the load balancer.

The idea is that we introduce a new parameter, allowing the use to specify an array of IP ranges (CIDRs). Default would be 0/0, as today. If a range different from 0/0 is specified, the implementation would need to add the NODE_CIDR range to it (so cluster-internal connections to the API work) as well as the FIPs of the management cluster[*], so the kubectl connections from it work.

[*] Should we allow the IPs used for SNAT of outgoing connections from this cloud provider? This would ensure access even in case of changes in the management cluster ... On the other hand, any evil party with an account on this cloud could again talk to the API server again and "only" be protected by not having the needed client cert. If a user really cares to not want 0/0 access, I would assume that we should be restrictive here, so my weak opinion on this is "no".