apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-most-allow-some
  namespace: database
spec:
  # Apply to all pods in this namespace
  podSelector: {}
  ingress:
  - from:
    # Allow all pods in this namespace
    - namespaceSelector:
        matchLabels:
          name: "database"

    # Allow all pods with this label
    - podSelector:
        matchLabels:
          needsDatabase: "yes"