Kops 1.18 supports AllowedCIDRs which is the modern Octavia way to whitelist API access on a loadbalancer instead of using a Security Group.
So far so good.
Problem is: kops update cluster wants the ordering of the whitelisted ip's returned by OpenStack's api to exactly match the ordering of kops state bucket (e.g. kops get cluster -o yaml). This means a dry run of kops update cluster will always mention this change, even though it's not an actual change.

1. What kops version are you running? The command kops version, will display
this information.
1.18.2

2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
1.18.9

3. What cloud provider are you using?
OpenStack

4. What commands did you run? What is the simplest way to reproduce this issue?
kops update cluster

5. What happened after the commands executed?
The diff shows 2 lists. The current state (the allowed-cidrs array on the openstack loadbalancer listener) and the desired state (from kops edit cluster: kubernetesApiAccess).

They are the same, just having a different ordering of the list. So you can keep on applying (kops update cluster --yes), but this will keep coming back as a change that needs to be applied.

6. What did you expect to happen?
The ordered list comparison should be an unordered list comparison. It's about the contents of the arrays being compared, ordering is irrelevant.