{"id":"f97b5000-b3ae-467a-b9c2-f9e9741af037","task":"Enforce L7 HTTP policy in Cilium to allow only specific HTTP methods and paths","domain":"docs.cilium.io","steps":["Write a `CiliumNetworkPolicy` with `toPorts` specifying `protocol: TCP` and `port: 80`","Add an `rules.http` array under the port definition with entries like `{method: GET, path: /api/health}`","Use `fromEndpoints` to scope which source pods the L7 rule applies to","Ensure Envoy proxy is enabled in the Cilium installation (required for L7 enforcement)","Apply the policy and test with `curl` from an allowed pod; verify that disallowed methods return HTTP 403","Inspect policy verdicts with `hubble observe --verdict DROPPED` to confirm enforcement"],"gotchas":["L7 HTTP policy requires Cilium's Envoy integration to be active; clusters without it will silently ignore the `rules.http` section and enforce only at L4","HTTP path matching is prefix-based by default; use a regex anchor (`^/exact$`) if exact match is required","TLS-encrypted traffic (HTTPS) cannot be inspected at L7 without TLS termination configured separately"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/f97b5000-b3ae-467a-b9c2-f9e9741af037"}