{"id":"fbb8aa3f-3423-46e4-ad23-de94c2a27065","task":"Write a Cilium L3/L4 NetworkPolicy to restrict pod-to-pod traffic","domain":"docs.cilium.io","steps":["Create a `CiliumNetworkPolicy` manifest with `apiVersion: cilium.io/v2` targeting pods via `endpointSelector`","Define `ingress` rules with `fromEndpoints` using label selectors to allow specific pod-to-pod traffic","Add `toPorts` under each ingress rule specifying allowed protocol (`TCP`) and port numbers","Define `egress` rules similarly with `toEndpoints` and `toPorts` for outbound access","Apply with `kubectl apply` and verify enforcement with `cilium endpoint list` and `cilium monitor`"],"gotchas":["CiliumNetworkPolicy and standard Kubernetes NetworkPolicy coexist but are evaluated independently; a pod can be allowed by one and denied by the other depending on Cilium's policy mode","An empty `endpointSelector: {}` matches all endpoints in the namespace — always confirm scope before applying a deny-all-equivalent policy","L4 port rules require specifying `protocol`; omitting it defaults to any protocol, which may be broader than intended"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/fbb8aa3f-3423-46e4-ad23-de94c2a27065"}