Can't filter internet traffic from node-local traffic

[Tacklebox]

Environmental Info:
K3s Version:

% k3s -v
k3s version v1.31.4+k3s1 (a562d09)
go version go1.22.9

Node(s) CPU architecture, OS, and Version:

% uname -a
Linux debian-4gb-nbg1-1 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux

Cluster Configuration:
Just a single deb server on hetzner

Describe the bug:

I want some services only available to the host and some available to the internet at large, but adding a middleware allowlist with 127.0.0.1/32 blocks host and external, and 10.0.0.0/8 allows both host and external.

Steps To Reproduce:

• Installed K3s: curl | sh from the website with no additional flags

Expected behavior:

allowlisting 127.0.0.1 should allow traffic from the host and not the rest of the world.
and/or there should be a way to specify traffic from the host?

Actual behavior:

allowlisting 127.0.0.1 allows nothing.
Additional context / logs:

I tried setting up the whoami image to debug. curl on the actual server running k3s has the same output as running curl whoami.mydomain.com remotely from my laptop.

Host: whoami.mydomain.com
User-Agent: curl/8.7.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.42.0.1
X-Forwarded-Host: whoami.mydomain.com
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-57b79cf995-8lgw8
X-Real-Ip: 10.42.0.1

[brandond]

Kubernetes makes extensive use of NAT when routing traffic around within the cluster. Depending on how you expose the pod you'll see different source addresses for traffic at the IP level. You can reference the Kubernetes docs: https://kubernetes.io/docs/tutorials/services/source-ip/