Create a `CiliumNetworkPolicy` manifest with `apiVersion: cilium.io/v2` targeting pods via `endpointSelector`
Define `ingress` rules with `fromEndpoints` using label selectors to allow specific pod-to-pod traffic
Add `toPorts` under each ingress rule specifying allowed protocol (`TCP`) and port numbers
Define `egress` rules similarly with `toEndpoints` and `toPorts` for outbound access
Apply with `kubectl apply` and verify enforcement with `cilium endpoint list` and `cilium monitor`
Known gotchas
CiliumNetworkPolicy and standard Kubernetes NetworkPolicy coexist but are evaluated independently; a pod can be allowed by one and denied by the other depending on Cilium's policy mode
An empty `endpointSelector: {}` matches all endpoints in the namespace — always confirm scope before applying a deny-all-equivalent policy
L4 port rules require specifying `protocol`; omitting it defaults to any protocol, which may be broader than intended
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp