Let's say you have a pod that you want to reject all traffic to, unless the traffic is coming from a specific type of pod. In this case, an ingress Network Policy will serve your needs. Here's a quick example of what that might look like below, then we will discuss some specifics:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: backend

In the above, any pod with the role:db label will be able to receive traffic from a pod that is either in the namespace or contains the lable role:backend. If a pod doesn't meet at least one of those criteria, it simply cannot connect to that protected pod.

Network policies are implicity set to deny all unless explicity allowed. Keep this in mind when you are restricting traffic so that you don't accidentally create an outage.