K3S and IPTables Woes: How to IP whitelist on firewall level?


I have a very simple use case, I need to whitelist certain IPs (and reject the rest) so it can access traefik on a k3s node. I want it to be blocked on firewall level, not on the ingress, nor in pod level.

I assume this cannot be done with network policy, and anyway I don’t need any granular blocking.

My problem is UFW is not working.
I need the ufw deny rule for port 80 and port 43 to be respected, along with allow rule for certain IPs.

I learned that Kubernetes (Flannel?) in genera is using IPtables internally to forward traffic form port 80/443 to the traefik, and the rules is up above UFW’s.

With Docker, the usual solution is something like so: GitHub - chaifeng/ufw-docker: To fix the Docker and UFW security flaw without disabling iptables.With k3s I’m not sure where to start. :confused:

Any clue how to solve this problem? Thank you in advance