For a bare-metal cluster one simple set and forget about it solution is to port forward another external port (e.g., randomish 51203) to the internal control-plane-ip:6443 and block port scan attacks using fail2ban, DenyHosts, psad, etc. This should prevent most of the attacks.