diff --git a/k8s/infrastructure/controllers/crowdsec/kustomization.yaml b/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
index 69b1fee..ae5da9a 100644
--- a/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/kustomization.yaml
@@ -6,4 +6,3 @@ resources:
   - secrets.yaml
   - repository.yaml
   - release.yaml
-
diff --git a/k8s/infrastructure/controllers/crowdsec/release.yaml b/k8s/infrastructure/controllers/crowdsec/release.yaml
index 350272c..6865775 100644
--- a/k8s/infrastructure/controllers/crowdsec/release.yaml
+++ b/k8s/infrastructure/controllers/crowdsec/release.yaml
@@ -30,10 +30,19 @@ spec:
           podName: traefik-*
           # as in crowdsec configuration, we need to specify the program name to find a matching parser
           program: traefik
+          poll_without_inotify: true
       env:
+        - name: PARSERS
+          value: "crowdsecurity/cri-logs"
         - name: COLLECTIONS
-          value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/base-http-scenarios"
+          value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/http-cve"
     lapi:
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+          additionalLabels:
+            release: kube-prometheus-stack
       env:
         # To enroll the Security Engine to the console
         - name: ENROLL_KEY
diff --git a/k8s/infrastructure/controllers/traefik/middlewares/cloudflare-ip-header.yaml b/k8s/infrastructure/controllers/traefik/middlewares/cloudflare-ip-header.yaml
new file mode 100644
index 0000000..aa6a93b
--- /dev/null
+++ b/k8s/infrastructure/controllers/traefik/middlewares/cloudflare-ip-header.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: cloudflare-ip-header
+  namespace: traefik
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-For: "{Cf-Connecting-Ip}"
+
diff --git a/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml b/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml
index c3e765d..5674595 100644
--- a/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml
+++ b/k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml
@@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - crowdsec-bouncer.yaml
+  - cloudflare-ip-header.yaml
 
diff --git a/k8s/infrastructure/controllers/traefik/release.yaml b/k8s/infrastructure/controllers/traefik/release.yaml
index 0b46ff3..a888395 100644
--- a/k8s/infrastructure/controllers/traefik/release.yaml
+++ b/k8s/infrastructure/controllers/traefik/release.yaml
@@ -60,6 +60,32 @@ spec:
       websecure:
         middlewares:
           - traefik-bouncer@kubernetescrd
+          - traefik-cloudflare-ip-header@kubernetescrd
+        trustedIPs:
+          # https://www.cloudflare.com/ips-v4/#
+          - 173.245.48.0/20
+          - 103.21.244.0/22
+          - 103.22.200.0/22
+          - 103.31.4.0/22
+          - 141.101.64.0/18
+          - 108.162.192.0/18
+          - 190.93.240.0/20
+          - 188.114.96.0/20
+          - 197.234.240.0/22
+          - 198.41.128.0/17
+          - 162.158.0.0/15
+          - 104.16.0.0/13
+          - 104.24.0.0/14
+          - 172.64.0.0/13
+          - 131.0.72.0/22
+          # https://www.cloudflare.com/ips-v6/#
+          - 2400:cb00::/32
+          - 2606:4700::/32
+          - 2803:f800::/32
+          - 2405:b500::/32
+          - 2405:8100::/32
+          - 2a06:98c0::/29
+          - 2c0f:f248::/32
         port: 443
         http3:
           enabled: true