I have a working example here, I've deliberately not included ports to keep it as compatible as possible: https://github.com/patrick-stephens/couchbase-gitops/blob/96254f590bac86b2a0165e0a69b7e5cb1e77d8f1/network-policy-test.sh
Ports can be deduced from the server docs as linked from our docs: https://docs.couchbase.com/server/current/install/install-ports.html#detailed-port-description
If you start messing with ports then you need to open them all up as required by that version of server and the configuration deployed (if you just open the superset then makes little sense to do it by port). You will also have to start dealing with SDK connections as well to specific ports.
SDK ingress will need handling but that is out of scope here: it depends on the networking topology deployed if you want to lock it down by CIDR or you could just support any SDK ingress via a 0.0.0.0/0 CIDR (again though bit pointless if the intent is to lock down ports/addresses).
DAC needs a little handling as well to interact with the K8S API, but then this is pretty standard for any admission controller. Similarly if you want to use `kubectl`, `helm`, etc. from outside the cluster then that also needs to be allowed to access what it needs to - again though a standard network policy issue rather than anything to do with Couchbase.
Docs have been added along with a tutorial to the 2.3-beta branch so should appear once merged.