WIP: CIDR allow list for API server access

[sjenning]

What this PR does / why we need it:
Implements CIDR allow list for API server access
https://issues.redhat.com/browse/HOSTEDCP-240

WIP: Still need to figure out the private address range the nodes use to connect over PrivateLink so we can always allow that.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[netlify]

✅ Deploy Preview for hypershift-docs ready!

Name	Link
🔨 Latest commit	b6cae24
🔍 Latest deploy log	https://app.netlify.com/sites/hypershift-docs/deploys/628fd8d0f6562c000878b884
😎 Deploy Preview	https://deploy-preview-1419--hypershift-docs.netlify.app/reference/api
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sjenning]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[csrwng]

This lgtm, I assume it's WIP because you're still testing it?

[sjenning]

WIP because I need to add a rule that is always present for private clusters to allow nodes access over PrivateLink

[openshift-ci]

@sjenning: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/capi-provider-agent-sanity	b6cae24	link	false	/test capi-provider-agent-sanity
ci/prow/e2e-kubevirt-gcp-ovn	b6cae24	link	false	/test e2e-kubevirt-gcp-ovn
ci/prow/e2e-aws	b6cae24	link	true	/test e2e-aws
ci/prow/e2e-aws-nested	b6cae24	link	false	/test e2e-aws-nested

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[alvaroaleman]

Ref https://issues.redhat.com/browse/HOSTEDCP-464

[sjenning]

This is a dead end. NetworkPolicies are not a suitable mechanism for this with the SNATing that occurs for off cluster traffic.