Restrict access from one service to another

Thank you!

I am trying to use sidecar, but it seems does not work. Where is mistake?

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: iam
  namespace: ns1
spec:
  workloadSelector:
    labels:
      app: iam
  egress:
    - hosts:
        - "ns1/postgres.ns1.svc.cluster.local"

After applying this config IAM service still has access to all services