K3S and IPTables Woes: How to IP whitelist on firewall level?

Hi,

I have a very simple use case, I need to whitelist certain IPs (and reject the rest) so it can access traefik on a k3s node. I want it to be blocked on firewall level, not on the ingress, nor in pod level.

I assume this cannot be done with network policy, and anyway I don’t need any granular blocking.

My problem is UFW is not working.
I need the ufw deny rule for port 80 and port 43 to be respected, along with allow rule for certain IPs.

I learned that Kubernetes (Flannel?) in genera is using IPtables internally to forward traffic form port 80/443 to the traefik, and the rules is up above UFW’s.

With Docker, the usual solution is something like so: GitHub - chaifeng/ufw-docker: To fix the Docker and UFW security flaw without disabling iptables.With k3s I’m not sure where to start. :confused:

Any clue how to solve this problem? Thank you in advance

Shoot, just signed up to say I have this exact problem with my self-hosted k3s cluster.
Just wanted to create a “secure” backyard cluster to test out stuff, but it’s really strange that it overlooks UFW rules.
I’m going to dive deeper than that, see what UFW does, and how Treafik is being affected by that.