What Kubernetes functionality can/must be driven though Runners, proxies, direct from GitLab?

Looking to avoid any direct connections from GitLab’s SaaS world into our network, but want to use as much Kubernetes functionality as possible. Is there a breakdown of which Kubernetes functionality CAN work vs. ONLY works via locally-deployed Runners, locally-deployed proxies, and direct from GitLab’s SaaS deployment?