Policy Language

KairOS Red uses the Rego policy language (from the Open Policy Agent project) for defining network access policies. Rego allows you to write fine-grained, declarative policies that evaluate every connection attempt.

How Policies Work

When a device attempts to connect to a VNI or send traffic through the fabric, the gateway evaluates the relevant policies. The evaluation produces a decision: allow or deny.

Connection Request
      |
      v
+-----------------+
|  Policy Engine   |
|  (OPA / Rego)    |
+--------+--------+
         |
    +----+----+
    | allow   | deny
    v         v
  Forward    Drop

Policy Structure

Each policy is written as a Rego package. The default decision isdeny — you must write explicit rules to allow traffic.

package kairos.network

# Default deny
default allow = false

# Allow devices in the corporate VNI
allow {
    input.vni == "corporate"
    input.action == "connect"
    input.device.status == "enrolled"
}

# Allow management access from admin devices
allow {
    input.action == "manage"
    input.device.tags[_] == "admin"
}

Rego Syntax Basics

Rules

Rules are conditional statements that produce a value:

# Complete rule (returns true/false)
allow { ... }

# Partial rule (returns a set of values)
allowed_vnis[vni] { ... }

Variables

x := 5                          # Variable assignment
input.vni                       # Accessing input fields
input.device.tags[_] == "admin" # Iterating over arrays

Logical Operators

=   # Equality (= is assignment in Rego, == is comparison)
!=  # Not equal
not # Logical negation
and # Logical AND (implied by multiple lines)
or  # Logical OR (separate rules with same name)

Input Document

The input document is provided by the gateway during policy evaluation. It contains:

{
  "vni": "corporate",
  "action": "connect",         # "connect", "disconnect", "send", "receive"
  "device": {
    "id": "dev_abc123",
    "name": "prod-server-01",
    "status": "enrolled",
    "tags": ["production", "us-east-1"],
    "public_key": "0x..."
  },
  "source": {
    "ip": "10.0.0.15",
    "port": 54321
  },
  "destination": {
    "ip": "10.0.1.50",
    "port": 443
  },
  "timestamp": "2026-05-28T16:00:00Z"
}

Example Policies

Basic VNI Access Control

package kairos.network

default allow = false

# Allow enrolled devices to connect to corporate VNI
allow {
    input.vni == "corporate"
    input.action == "connect"
    input.device.status == "enrolled"
}

# Allow traffic within the same VNI
allow {
    input.action == "send"
    input.source.vni == input.destination.vni
}

Role-Based Access Control

package kairos.network

default allow = false

# Admin devices can access all VNIs
allow {
    input.action == "connect"
    input.device.tags[_] == "admin"
}

# Production devices can only access production VNIs
allow {
    input.action == "connect"
    input.vni == "production"
    input.device.tags[_] == "production"
}

# Developers can access staging VNIs
allow {
    input.action == "connect"
    input.vni == "staging"
    input.device.tags[_] == "developer"
}

Time-Based Access

package kairos.network

import time

default allow = false

# Allow contractor access during business hours
allow {
    input.vni == "staging"
    input.action == "connect"
    input.device.tags[_] == "contractor"
    business_hours()
}

business_hours() {
    hour := time.clock([input.timestamp, "UTC"])[0]
    hour >= 9
    hour < 17
}

Rate Limiting Policy

package kairos.network

default allow = false

# Rate limit: max 100 connections per minute per device
allow {
    input.action == "connect"
    connection_rate(input.device.id, 100, 60)
}

connection_rate(device_id, max_requests, window_seconds) {
    # This is evaluated by the gateway's rate limiter
    # device_id's connection count in the last window_seconds < max_requests
    true
}

Policy Evaluation Points

Policies are evaluated at these points in the connection lifecycle:

Evaluation PointActionDescription
VNI ConnectconnectWhen a device attempts to join a VNI
VNI DisconnectdisconnectWhen a device leaves a VNI
Traffic SendsendWhen a device sends traffic through the fabric
Traffic ReceivereceiveWhen a device receives traffic from the fabric
EnrollenrollWhen a device enrolls with the network

Testing Policies

You can test policies locally using the OPA CLI:

# Install OPA
brew install opa

# Test a policy against input
opa eval --data policy.rego --input input.json "data.kairos.network.allow"

# Run policy tests
opa test ./policies/

Best Practices

  1. Always start with "default deny" — this ensures no traffic is accidentally permitted
  2. Use tags for device classification — tag-based policies are easier to manage than device-specific rules
  3. Test policies before deploying — use the OPA CLI or the API evaluation endpoint
  4. Version your policies — each policy change is logged in the audit trail
  5. Use meaningful names — policy and rule names should describe their purpose
  6. Keep policies simple — complex policies are harder to audit and debug

Additional Resources