diff --git a/sso-mfa/k8s/lldap/middleware.yaml b/sso-mfa/k8s/lldap/middleware.yaml
index 925d6b9..c3bf970 100644
--- a/sso-mfa/k8s/lldap/middleware.yaml
+++ b/sso-mfa/k8s/lldap/middleware.yaml
@@ -17,7 +17,7 @@ metadata:
     app.kubernetes.io/part-of: net-kingdom-sso-mfa
     net-kingdom/component: sso
 spec:
-  ipAllowList:
+  ipWhiteList:
     # EDIT: replace with your VPN/office CIDRs.
     sourceRange:
       - "10.0.0.0/8"
diff --git a/sso-mfa/k8s/privacyidea/middleware.yaml b/sso-mfa/k8s/privacyidea/middleware.yaml
index caa4ce6..7117a6e 100644
--- a/sso-mfa/k8s/privacyidea/middleware.yaml
+++ b/sso-mfa/k8s/privacyidea/middleware.yaml
@@ -36,8 +36,8 @@ spec:
 # ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
 # Leaving RFC-1918 ranges here is only a dev/staging default.
 #
-# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList.
-# Check your Traefik version and update accordingly.
+# Traefik v2 uses ipWhiteList; Traefik v3 uses ipAllowList.
+# This cluster runs Traefik 2.10 (K3s 1.30 bundle) — ipWhiteList required.
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -47,7 +47,7 @@ metadata:
     app.kubernetes.io/part-of: net-kingdom-sso-mfa
     net-kingdom/component: mfa
 spec:
-  ipAllowList:
+  ipWhiteList:
     # EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
     # Example VPN: "10.8.0.0/24"
     sourceRange: