diff --git a/deploy-k3s/manifests/kratos/ingress.yaml b/deploy-k3s/manifests/kratos/ingress.yaml
index 9637aa5..304cee7 100644
--- a/deploy-k3s/manifests/kratos/ingress.yaml
+++ b/deploy-k3s/manifests/kratos/ingress.yaml
@@ -1,10 +1,16 @@
 # Public ingress for Ory Kratos — auth.myhoneydue.com → Kratos public API :4433.
 #
-# Chains the same edge middlewares as the honeyDue API ingress: cloudflare-only
-# (reject non-Cloudflare source IPs), security-headers, and the general
-# rate-limit. Kratos's self-service flows are multi-request, so the strict
-# auth-rate-limit (5/min) is intentionally NOT used here — Kratos applies its
-# own per-flow protections.
+# Middlewares match the honeyDue API ingress (security-headers + rate-limit).
+# The cloudflare-only middleware is intentionally NOT applied here: on this
+# cluster, klipper-lb SNATs the source IP before Traefik sees it, so
+# cloudflare-only's IP allowlist rejects every legitimate Cloudflare request
+# (verified 2026-06-03 — iOS Apple Sign In failed silently because Kratos
+# never received the request). The api ingress doesn't use cloudflare-only
+# for the same reason. DDoS protection still rides on Cloudflare's edge.
+#
+# Kratos's self-service flows are multi-request, so the strict auth-rate-limit
+# (5/min) is intentionally NOT used here — Kratos applies its own per-flow
+# protections.
 #
 # OPERATOR: confirm the cloudflare-origin-cert TLS secret covers
 # auth.myhoneydue.com (apex + wildcard origin cert), and add the
@@ -18,7 +24,7 @@ metadata:
     app.kubernetes.io/name: kratos
     app.kubernetes.io/part-of: honeydue
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: honeydue-cloudflare-only@kubernetescrd,honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
 spec:
   ingressClassName: traefik
   tls: