Flux NetworkPolicies blocks KuboCD artifact download

[leuwen-lc]

Flux installs NetworkPolicies that restrict access to source-controller (artifact HTTP server on port 9090) to pods within flux-system only. KuboCD's controller runs in the kubocd namespace and needs to fetch artifacts, so a policy as below must be applied before installing KuboCD.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-kubocd
  namespace: flux-system
spec:
  podSelector:
    matchLabels:
      app: source-controller
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kubocd
      ports:
        - port: 9090
          protocol: TCP

[leuwen-lc]

I am using Kind 0.31.0.

Before applying the networkpolicy in the kubocd-ctrl-controller log I had errors as below

level=error msg="Reconciler error" Release="{cnpg-postgresql             
  kubocd-system}" controller=kubocd-release controllerGroup=kubocd.kubotal.io controllerKind=Release error="unable to fetch artifact: failed to download archive: GET http://source 
  -controller.flux-system.svc.cluster.local./ocirepository/kubocd-system/kcd-cnpg-postgresql/sha256:ca6917dd38d8f9faf5d556075652335ccba399a47c6a05f317a36cbe82b756e6.tar.gz  
  up after 10 attempt(s): Get \"http://source-controller.flux-system.svc.cluster.local./ocirepository/kubocd-system/kcd-cnpg-postgresql/sha256:ca6917dd38d8f9faf5d556075652335ccba3 
  99a47c6a05f317a36cbe82b756e6.tar.gz\": dial tcp 10.96.166.35:80: i/o timeout" name=cnpg-postgresql namespace=kubocd-system reconcileID="\"5ec2bef0-f1a3-48bc-b9ea-f5831633033b\"