It is expected that the rule would be created with Pod IPs. The Cluster IP gets DNATted by a rule installed by kube-proxy (if you’re running in iptables mode) to the Pod IP, so it is correct to use the pod IP in the rule.
Are you seeing an actual problem? What happens when you access the pod IP from outside the cluster? (I’m wondering if you need to advertise the service IP).
If you want to match on cluster IP, you need to use host endpoint pre-DNAT policy so you see the packet before the DNAT happens. This doc explains how to do that, with node ports in mind: https://docs.projectcalico.org/security/kubernetes-node-ports