Network policy will allow you to do exactly what you described on picture. You can allow or block based on labels or namespaces.

It's difficult to help you when you don't explain what you exactly did and what is not working. Update your question with actual network policy YAML you created and ideally also send kubectl get pod --show-labels from the namespace with the pods.

What do you mean by 'local kubernetes' is also unclear but it depends largely on network CNI you're using as it must support network policies. For example Calico or Cilium support it. Minikube in it's default setting don't so you should follow i.e. this guide: https://medium.com/@atsvetkov906090/enable-network-policy-on-minikube-f7e250f09a14

You can use Istio Sidecar to solve this : https://istio.io/latest/docs/reference/config/networking/sidecar/

Another Istio solution is the usage of AuthorizationPolicy : https://istio.io/latest/docs/reference/config/security/authorization-policy/

Just to update because I was involved in the problem of this post. The problem was with pods that had the istio injected. In this case, all pods in the namespace, because it had istio-injection=enabled. The NetworkPolicy rule was not taking effect when the selection was made by a matchselector, egress or ingress, and the pods involved were already running before NetworkPolicy was created. By killing the pod and then starting it, the pods that had the label match had access normally. I don't know if there is a way to say to refresh the sidecar inside the pods without having to restart it. Pods started after the creation of NetworkPolicy did not give the problem of this post.