Network Policy

Same as CKA, where you're expected to create Network Policies based on given scenario. Try to break-down the scenario task by task, and then to direction by direction (ingress/egress). Kubernetes documentation is a great resource to quickly borrow any help.
One piece which easily gets slip by many is, Network Policy got to be created to "Allow" traffic, it already "DENIES" everything else. So just configure what should be "allowed" and ignore what must be denied, that'll be implicitly taken care by Network policy.
Labels are very important before configuring the Network Policy. Fetch all the lables for the resources (Pod / Node / Namespace etc).

k get -n <namespace> all --show-labels

Example scenario:

kind: NetworkPolicy

metadata:

name: mtdoom-np

namespace: mordor

spec:

podSelector:

matchLabels:

app: mordor

policyTypes:

- Ingress

ingress:

- from:

- namespaceSelector:

matchLabels:

app: frodo

- podSelector:

matchLabels:

app: sam

namespaceSelector: {}

ports:

- protocol: TCP

port: 80

Verify the Network policy

It is always helpful to test the network policy after creating. And the easiest way is to deploy a quick pod in any specific namespace, and then try to connect with the Pod which has NetworkPolicy applied.

Syntax:

kubectl run <new pod name> --image=<image-name> -- ping <Network-policy-Pod-ip-address>

Example:

kubectl run test-pod --image=alpine -- ping 192.168.194.81

kubectl logs test-pod

PING 192.168.194.81 (192.168.194.81): 56 data bytes

64 bytes from 192.168.194.81: seq=0 ttl=63 time=0.271 ms

64 bytes from 192.168.194.81: seq=1 ttl=63 time=0.109 ms

64 bytes from 192.168.194.81: seq=2 ttl=63 time=0.077 ms

64 bytes from 192.168.194.81: seq=3 ttl=63 time=0.161 ms

64 bytes from 192.168.194.81: seq=4 ttl=63 time=0.080 ms

64 bytes from 192.168.194.81: seq=5 ttl=63 time=0.082 ms

Tons of Network Policies scenarios for practice at this Github repo
If you'd like to read a bit more about Network Policy and it's flixibility, this is worth a read.