I had this same issue when using Keycloak in Docker Swarm. I don’t have any experience with K8s but maybe this might help.
For us, there were two parts. The docker ingress network uses IPVS and SNAT which masquerades the source IP as the docker node’s ingress IP, so we would see the private IP of the docker nodes on the ingress network instead of the true source IP of the client. We have a workaround in place using the docker-ingress-routing-daemon as it seems to just be built this way by design in Docker Swarm.
The other part was that for our container, we needed to ensure the following environment variable was set:
With these two changes, we were able to see the true source IP address of the client.
From there we added IP restrictions using the undertow subsystem on certain paths so that, for example, our master realm was only accessible from our internal IPs. This can be done through the jboss cli located by default in the container at /opt/jboss/keycloak/bin/jboss-cli.sh. For us, we do this with JBoss CLI and extend the Keycloak Image because we do other customizing, but if you didn’t want to extend the keycloak image, I suppose you could just create a script that edits the standalone.xml file and just mount it at in the startup-scripts directory. Here’s a link explaining how this is done: keycloak-documentation/admin.adoc at master · keycloak/keycloak-documentation · GitHub
I know it’s not K8s but I hope this helps!
edit: added links