If I have Kubernetes service (cluster IP with port 12345) with three pods behind it as endpoints (port 16789) in a namespace, what should be whitelisted in network policy, just the service port or the endpoint port or DNS port? Network policy can only take pod/namespace labels as selectors, not service labels. It is not clear from the documentation. Trying to access the service from a different namespace. The environment uses Calico as CNI.
The network policies are on the pods network interfaces. You can have pod without service and want to add network policy.
So you have to allow port 16789.