I currently have services running on the Google App Engine platform which use the X-Appengine-Inbound-Appid header to limit HTTP requests to our apps only.

I recently found out that some of my services require a static IP and therefor I would like to move some of the services to the Kubernetes Engine.

Is there a way for Kubernetes Engine to secure requests using a similar header approach? The requests should only be allowed from our own Firebase apps.

Ideally I would keep things as simple as possible for the clients using the services.

Possibly I could generate a specific API key for each user which can be blacklisted on abuse, but that already adds quite a bit of complexity.