Disclaimer: I don’t know much about securing the container itself. The considerations I discuss here are mostly networking.
What I’ve personally been doing is using k3s with Cloudflare Tunnel (routed using DNS like in this documentation) as an ingress.
With Cloudflare Tunnel, if you create an application in front of it, you can require authentication and add a list of allowed emails.
I could replace k3s with a different Kubernetes distribution, and/or replace Cloudflare Tunnel with a different ingress (e.g., Tailscale Funnel or more common ingresses like nginx).
I kept seeing so many different ones recommended and I kept getting weird issues I didn’t understand with most of them. I don’t often need to make a bootable Linux USB, but every time, Rufus did the job quick and easy.