Secure kubernetes deployment

I have 2 networks, they are called white and black.

The white network contains all of my management consoles and admin servers.
The black network contains all of my worker servers which the admin servers send commands to from behind a NAT firewall.

This provides our company some security as there is never a connection which is initiated inbound to the white network.

We are now looking to move to kubernetes and would like to use this same approach.

My understanding however is that ALL servers need to be on a single flat lan without NAT which is problematic.
Is it possible to then put the control plane servers behind a NAT firewall and offload SSL to an NGINX proxy that would straddle both networks? This way it would “seem” that it’s on the same network and would again provide us some security.

If this is possible how would I go about it?