Configure Red Hat Advanced Cluster Security for Kubernetes (RHACS) to send alerts about policy violations to a standard email provider.

You can use email as a notification method by forwarding alerts from RHACS to a standard email provider. To forward alerts from the RHACS platform to an email address, you can use the Default Recipient field to send email to a standard and centralized team, or use deployment annotations to specify an audience for notifications.

With annotation keys, you can define an audience to notify about policy violations that are associated with a deployment or namespace. If the deployment has an annotation, the annotation’s value overrides the default value. If the namespace has an annotation, the namespace’s value overrides the default value.

  • If a deployment has an annotation key and a defined audience, an email is sent to the audience who is defined by the key.

  • If a deployment does not have an annotation key, the namespace is checked for an annotation key and an email is sent to the defined audience.

  • If no annotation keys exist, an email is sent to the default recipient that is defined in the integration.

Configuring the email plugin

The RHACS notifier can send email to a recipient specified in the integration, or it can use annotations to determine the recipient.

To use an annotation to dynamically determine an email recipient:

  1. Add an annotation similar to the following example in your deployment YAML file, where email is the Annotation key that you specify in your email integration.

      email: <email_address>
  2. Use the annotation key email in the Annotation key for recipient field when you configure RHACS.

You can create an annotation for the deployment or the namespace.

If you configured the deployment or namespace with an annotation, the RHACS platform sends the alert to the email specified in the annotation. Otherwise, it sends the alert to the default recipient.

  1. Navigate to Platform ConfigurationIntegrations.

  2. Under the Notifier Integrations section, select Email.

  3. Select New Integration.

  4. In the Integration name field, enter a name for your email integration.

  5. In the Email server field, enter the address of your email server. The email server address includes fully qualified domain name (FQDN) and the port number; for example, smtp.example.com:465.

  6. Optional: If you are using unauthenticated SMTP, select Enable unauthenticated SMTP. This is insecure and not recommended, but might be required for some integrations. For example, you might need to enable this option if you use an internal server for notifications that does not require authentication.

    You cannot change an existing email integration that uses authentication to enable unauthenticated SMTP. You must delete the existing integration and create a new one with Enable unauthenticated SMTP selected.

  7. Enter the user name and password of a service account that is used for authentication.

  8. Optional: Enter the name that you want to appear in the FROM header of email notifications in the From field; for example, Security Alerts.

  9. Specify the email address that you want to appear in the SENDER header of email notifications in the Sender field.

  10. Specify the email address that will receive the notifications in the Default recipient field.

  11. Optional: Enter an annotation key in Annotation key for recipient. If you provide an annotation and the deployment or the namespace has a key with this value, then notifications will be sent to the email address in the annotation. Otherwise, notifications are sent to the email specified in the Default Recipient field.

  12. Optional: Select Disable TLS certificate validation (insecure) to send email without TLS. You should not disable TLS unless you are using StartTLS.

    Use TLS for email notifications. Without TLS, all email is sent unencrypted.

  13. Optional: To use StartTLS, select either Login or Plain from the Use STARTTLS (requires TLS to be disabled) drop-down menu.

    With StartTLS, credentials are passed in plain text to the email server before the session encryption is established.

    • StartTLS with the Login parameter sends authentication credentials in a base64 encoded string.

    • StartTLS with the Plain parameter sends authentication credentials to your mail relay in plain text.

Configuring policy notifications

Enable alert notifications for system policies.

  1. On the RHACS portal, navigate to Platform ConfigurationPolicies.

  2. Select one or more policies for which you want to send alerts.

  3. Under Bulk actions, select Enable notification.

  4. In the Enable notification window, select the email notifier.

    If you have not configured any other integrations, the system displays a message that no notifiers are configured.

  5. Click Enable.

  • Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.

  • Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.

  • Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:

    • A policy violation occurs for the first time in a deployment.

    • A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.