diff --git a/group_vars/stage_devnso/keycloak.yml b/group_vars/stage_devnso/keycloak.yml
index abd8686..d86fbed 100644
--- a/group_vars/stage_devnso/keycloak.yml
+++ b/group_vars/stage_devnso/keycloak.yml
@@ -1,3 +1,2 @@
 # Used to authorize access to keaycloak via tcp/443 on the hcloud firewall
-keycloak_https_whitelisted_ips:
-  - 0.0.0.0/0 # Public access to keycloak
+keycloak_https_whitelisted_ips: []
diff --git a/group_vars/stage_prodnso/keycloak.yml b/group_vars/stage_prodnso/keycloak.yml
index 6983432..9d19e52 100644
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@@ -20,16 +20,13 @@ keycloak_admin_realm_acls:
   - name: mobene
     admin_ips:
       - 92.42.192.128/25 # MOB-486 - mobene
-      - 167.235.150.201/32 # prodwork01-kube-cpl-01 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.198/32 # prodwork01-kube-cpl-02 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.195/32 # prodwork01-kube-cpl-03 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.133/32 # prodwork01-kube-node-01 ; DEV-786 mobene (nsodev) migration
-      - 167.235.150.197/32 # prodwork01-kube-node-02 DEV-786 mobene (nsodev) migration
-      - 23.88.53.161/32 # prodwork01-kube-node-03 ; DEV-786 mobene (nsodev) migration
-      - 195.201.113.110/32 # prodwork01-kube-node-04 ; DEV-786 mobene (nsodev) migration
-      - 5.75.184.216/32 # prodwork01-kube-node-05 ; DEV-786 mobene (nsodev) migration
-      - 91.107.228.133/32 # prodwork01-kube-node-06 ; => DEV-987
-      - 167.235.25.0/32 # prodwork01-kube-node-07 ; => DEV-987
+      - 167.235.150.133/32 # DEV-786 - prodwork01-kube-node-01
+      - 167.235.150.197/32 # DEV-786 - prodwork01-kube-node-02
+      - 23.88.53.161/32 # DEV-786 - prodwork01-kube-node-03
+      - 195.201.113.110/32 # DEV-786 - prodwork01-kube-node-04
+      - 5.75.184.216/32 # DEV-786 - prodwork01-kube-node-05
+      - 91.107.228.133/32 # DEV-987 - prodwork01-kube-node-06
+      - 167.235.25.0/32 # DEV-987 - prodwork01-kube-node-07
   - name: linde
     admin_ips:
       - 145.225.17.1/32 # DEV-1142 - Linde
diff --git a/group_vars/stage_qanso/keycloak.yml b/group_vars/stage_qanso/keycloak.yml
index 5d10877..d86fbed 100644
--- a/group_vars/stage_qanso/keycloak.yml
+++ b/group_vars/stage_qanso/keycloak.yml
@@ -1,15 +1,2 @@
 # Used to authorize access to keaycloak via tcp/443 on the hcloud firewall
-keycloak_https_whitelisted_ips:
-  - 0.0.0.0/0 # Public access to keycloak
-
-# Use these Realm ACLs to create custom Traefik labels for Keycloak to restrict admin access per realm
-# Both variables are mandatory!
-# name: <realm_name>
-# admin_ips: <ip/range in cidr notation>
-keycloak_admin_realm_acls:
-  - name: management
-    admin_ips:
-      - 79.140.117.133/32 # mha
-  - name: mhel
-    admin_ips:
-      - 79.140.117.133/32 # mha
+keycloak_https_whitelisted_ips: []
diff --git a/roles/keycloak/tasks/_configure_traefik.yml b/roles/keycloak/tasks/_configure_traefik.yml
index 58757c2..a56e71b 100644
--- a/roles/keycloak/tasks/_configure_traefik.yml
+++ b/roles/keycloak/tasks/_configure_traefik.yml
@@ -3,7 +3,7 @@
   ansible.builtin.set_fact:
     labels:
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.service={{ keycloak_id }}"'
-      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.rule=Host(`{{ stage_server_domain }}`) && Method(`POST`,`PUT`,`DELETE`, `PATCH`) && (PathPrefix(`/auth/realms/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/realms/{{ keycloak_accessible_realm.name }}`))"'
+      - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.rule=Host(`{{ stage_server_domain }}`) && Method(`POST`,`PUT`,`DELETE`,`PATCH`) && (PathPrefix(`/auth/realms/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/{{ keycloak_accessible_realm.name }}`) || PathPrefix(`/auth/admin/realms/{{ keycloak_accessible_realm.name }}`))"'
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.entrypoints=websecure"'
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.tls=true"'
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.tls.certresolver=letsencrypt-http"'
@@ -24,3 +24,23 @@
     loop_var: keycloak_accessible_realm
   tags:
     - update_deployment
+
+# Neccessary for Trafik labels to allow POST method from AWX on k8s
+- name: "Get k8s_worker_node_ips"
+  block:
+    - name: "Lookup hetzner servers - smaradigo k8s worker nodes"
+      become: false
+      delegate_to: localhost
+      hcloud_server_info:
+        api_token: "{{ hetzner_authentication_ansible_vault }}"
+        label_selector: "service=kube_node,stage={{ stage }}"
+      register: found_servers
+    - name: "Initial VAR(s)"
+      set_fact:
+        k8s_worker_node_ips: []
+    - name: "Get IPs from k8s worker nodes"
+      set_fact:
+        k8s_worker_node_ips: '{{ k8s_worker_node_ips + [ item + "/32" ] }}'
+      loop: '{{ found_servers.hcloud_server_info | selectattr("ipv4_address","defined") | map(attribute="ipv4_address") }}'
+  tags:
+    - update_deployment
diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml
index 0522acb..5ec34da 100644
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -12,6 +12,13 @@ keycloak_labels: [
   '"traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt"',
   '"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"',
 
+  '"traefik.http.routers.{{ keycloak_id }}-auth.service={{ keycloak_id }}"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.entrypoints=websecure"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.tls=true"',
+  '"traefik.http.routers.{{ keycloak_id }}-auth.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ keycloak_id }}-auth.loadbalancer.server.port={{ service_port }}"',
+
   '"traefik.http.routers.{{ keycloak_id }}-state-change.service={{ keycloak_id }}"',
   '"traefik.http.routers.{{ keycloak_id }}-state-change.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
   '"traefik.http.routers.{{ keycloak_id }}-state-change.entrypoints=websecure"',
@@ -19,7 +26,7 @@ keycloak_labels: [
   '"traefik.http.routers.{{ keycloak_id }}-state-change.tls.certresolver=letsencrypt"',
   '"traefik.http.services.{{ keycloak_id }}-state-change.loadbalancer.server.port={{ service_port }}"',
   '"traefik.http.routers.{{ keycloak_id }}-state-change.middlewares={{ keycloak_id }}-state-change-ipwhitelist"',
-  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ ip_whitelist | join(",") }}"',
+  '"traefik.http.middlewares.{{ keycloak_id }}-state-change-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips) | join(",") }}"',
 ]
 
 keycloak_docker: {