Chapter 17. Integrating with email
With Red Hat Advanced Cluster Security for Kubernetes (RHACS), you can configure your existing email provider to send notifications about policy violations. If you are using Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), you can use your existing email provider or the built-in email notifier to send email notifications.
You can use the Default recipient
field to forward alerts from RHACS and the RHACS Cloud Service to an email address. Otherwise, you can use annotations to define an audience and notify them about policy violations associated with a specific deployment or namespace.
17.1. Integrating with email on RHACS
You can use email as a notification method by forwarding alerts from RHACS.
17.1.1. Configuring the email plugin
The RHACS notifier can send email to a recipient specified in the integration, or it can use annotations to determine the recipient.
If you are using RHACS Cloud Service, it blocks port 25
by default. Configure your mail server to use port 587
or 465
to send email notifications.
Procedure
-
Go to Platform Configuration
Integrations. - Under the Notifier Integrations section, select Email.
- Select New Integration.
- In the Integration name field, enter a name for your email integration.
-
In the Email server field, enter the address of your email server. The email server address includes fully qualified domain name (FQDN) and the port number; for example,
smtp.example.com:465
. Optional: If you are using unauthenticated SMTP, select Enable unauthenticated SMTP. This is insecure and not recommended, but might be required for some integrations. For example, you might need to enable this option if you use an internal server for notifications that does not require authentication.
NoteYou cannot change an existing email integration that uses authentication to enable unauthenticated SMTP. You must delete the existing integration and create a new one with Enable unauthenticated SMTP selected.
- Enter the user name and password of a service account that is used for authentication.
-
Optional: Enter the name that you want to appear in the
FROM
header of email notifications in the From field; for example,Security Alerts
. -
Specify the email address that you want to appear in the
SENDER
header of email notifications in the Sender field. - Specify the email address that will receive the notifications in the Default recipient field.
Optional: Enter an annotation key in Annotation key for recipient. You can use annotations to dynamically determine an email recipient. To do this:
Add an annotation similar to the following example in your namespace or deployment YAML file, where
email
is theAnnotation key
that you specify in your email integration. You can create an annotation for the deployment or the namespace.annotations: email: <email_address>
Use the annotation key
email
in the Annotation key for recipient field.If you configured the deployment or namespace with an annotation, the RHACS sends the alert to the email specified in the annotation. Otherwise, it sends the alert to the default recipient.
NoteThe following rules govern how RHACS determines the recipient of an email notification:
- If the deployment has an annotation key, the annotation’s value overrides the default value.
- If the namespace has an annotation key, the namespace’s value overrides the default value.
- If a deployment has an annotation key and a defined audience, RHACS sends an email to the audience specified in the key.
- If a deployment does not have an annotation key, RHACS checks the namespace for an annotation key and sends an email to the specified audience.
- If no annotation keys exist, RHACS sends an email to the default recipient.
Optional: Select Disable TLS certificate validation (insecure) to send email without TLS. You should not disable TLS unless you are using StartTLS.
NoteUse TLS for email notifications. Without TLS, all email is sent unencrypted.
Optional: To use StartTLS, select either Login or Plain from the Use STARTTLS (requires TLS to be disabled) drop-down menu.
ImportantWith StartTLS, credentials are passed in plain text to the email server before the session encryption is established.
-
StartTLS with the Login parameter sends authentication credentials in a
base64
encoded string. - StartTLS with the Plain parameter sends authentication credentials to your mail relay in plain text.
-
StartTLS with the Login parameter sends authentication credentials in a
Additional resources
17.1.2. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
-
In the RHACS portal, go to Platform Configuration
Policy Management. - Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
In the Enable notification window, select the Email notifier.
NoteIf you have not configured any other integrations, the system displays a message that no notifiers are configured.
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:
- A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
17.2. Integrating with email on RHACS Cloud Service
You can use your existing email provider or the built-in email notifier in RHACS Cloud Service to send email alerts about policy violations.
- To use your own email provider, you must configure the email provider as described in the section Configuring the email plugin.
- To use the built-in email notifier, you must configure the RHACS Cloud Service email plugin.
17.2.1. Configuring the RHACS Cloud Service email plugin
The RHACS Cloud Service notifier sends an email to a recipient. You can specify the recipient in the integration, or RHACS Cloud Service can use annotation keys to find the recipient.
- You can only send 250 emails per 24-hour rolling period. If you exceed this limit, RHACS Cloud Service sends emails only after the 24-hour period ends.
- Because of rate limits, Red Hat recommends using email notifications only for critical alerts or vulnerability reports.
Procedure
-
Go to Platform Configuration
Integrations. - Under the Notifier Integrations section, select RHACS Cloud Service Email.
- Select New Integration.
- In the Integration name field, enter a name for your email integration.
- Specify the email address to which you want to send the email notifications in the Default recipient field.
Optional: Enter an annotation key in Annotation key for recipient. You can use annotations to dynamically determine an email recipient. To do this:
Add an annotation similar to the following example in your namespace or deployment YAML file, where
email
is theAnnotation key
that you specify in your email integration. You can create an annotation for the deployment or the namespace.annotations: email: <email_address>
-
Use the annotation key
email
in the Annotation key for recipient field.
If you configured the deployment or namespace with an annotation, the RHACS Cloud Service sends the alert to the email specified in the annotation. Otherwise, it sends the alert to the default recipient.
The following rules govern how RHACS Cloud Service determines the recipient of an email notification:
- If the deployment has an annotation key, the annotation’s value overrides the default value.
- If the namespace has an annotation key, the namespace’s value overrides the default value.
- If a deployment has an annotation key and a defined audience, RHACS Cloud Service sends an email to the audience specified in the key.
- If a deployment does not have an annotation key, RHACS Cloud Service checks the namespace for an annotation key and sends an email to the specified audience.
- If no annotation keys exist, RHACS Cloud Service sends an email to the default recipient.
Additional resources
17.2.2. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
-
In the RHACS portal, go to Platform Configuration
Policy Management. - Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
In the Enable notification window, select the RHACS Cloud Service Email notifier.
NoteIf you have not configured any other integrations, the system displays a message that no notifiers are configured.
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:
- A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.