Write a `CiliumNetworkPolicy` with `toPorts` specifying `protocol: TCP` and `port: 80`
Add an `rules.http` array under the port definition with entries like `{method: GET, path: /api/health}`
Use `fromEndpoints` to scope which source pods the L7 rule applies to
Ensure Envoy proxy is enabled in the Cilium installation (required for L7 enforcement)
Apply the policy and test with `curl` from an allowed pod; verify that disallowed methods return HTTP 403
Inspect policy verdicts with `hubble observe --verdict DROPPED` to confirm enforcement
Known gotchas
L7 HTTP policy requires Cilium's Envoy integration to be active; clusters without it will silently ignore the `rules.http` section and enforce only at L4
HTTP path matching is prefix-based by default; use a regex anchor (`^/exact$`) if exact match is required
TLS-encrypted traffic (HTTPS) cannot be inspected at L7 without TLS termination configured separately
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp