Alauda Security Service
  • English

    • Integration with Email

    Alauda Security Service supports sending notifications by email. You can configure an existing email provider or mail relay to forward alerts about policy violations. Notifications can be sent to a default recipient or determined dynamically from deployment or namespace annotations.

    INFO

    Port 25 is blocked by default. Configure your mail server to use port 587 or 465 for sending email notifications.

    TOC

    Configuring Email IntegrationAdd a New Email IntegrationDynamic Recipient with AnnotationsTLS and StartTLS SettingsEnabling Email Notifications for Policies

    Configuring Email Integration

    Follow these steps to set up email notifications:

    Add a New Email Integration

    1. Navigate to Platform Configuration > Integrations.
    2. Under Notifier Integrations, select Email.
    3. Click New integration.
    4. Enter a name for your integration in the Integration name field.
    5. In the Email server field, provide the address of your email server, including the FQDN and port (e.g., smtp.example.com:465).
    6. (Optional) To use unauthenticated SMTP, select Enable unauthenticated SMTP.
      WARNING

      This is insecure and not recommended unless required for internal servers.

      INFO

      You cannot change an existing email integration that uses authentication to enable unauthenticated SMTP. Delete the existing integration and create a new one with Enable unauthenticated SMTP selected.

    7. Enter the username and password for the service account used for authentication.
    8. (Optional) Specify the display name for the FROM header in the From field (e.g., Security Alerts).
    9. Enter the sender's email address in the Sender field.
    10. Specify the default recipient's email address in the Default recipient field.
    11. (Optional) Enter an annotation key in Annotation key for recipient if you want the platform to determine recipients dynamically from deployment or namespace annotations.
    12. (Optional) Configure transport security settings:
      • Select Disable TLS (insecure) if you need to connect without TLS.
      • Select a value in Use STARTTLS (requires TLS to be disabled) if your mail server requires StartTLS. The available values are Disabled, Login, and Plain.
      • Select Skip TLS verification only if the server certificate cannot be validated and your environment explicitly allows this behavior.
    13. (Optional) Enter a hostname in Hostname for SMTP HELO/EHLO if your mail relay requires a specific identity during the SMTP handshake. If you leave it blank, localhost is used.
    14. (Optional) Click Test to verify the connection.
    15. Click Save.

    Dynamic Recipient with Annotations

    You can use annotations to dynamically determine the recipient of email notifications:

    1. In the Annotation key for recipient field, enter an annotation key (for example, email).

    2. Add an annotation to your deployment or namespace YAML file:

      metadata:
  annotations:
    email: <recipient_email@example.com>

    3. Alauda Security Service sends the alert to the email specified in the annotation. If no annotation is found, the alert is sent to the default recipient.

    Recipient Resolution Rules:

    • If a deployment has the annotation key, its value overrides the default recipient.
    • If the namespace has the annotation key, its value overrides the default recipient.
    • If neither exists, the default recipient is used.

    TLS and StartTLS Settings

    • (Optional) Select Disable TLS (insecure) if you need to connect to the mail server without TLS.
      INFO

      Use TLS for email notifications whenever possible. Without TLS, all email is sent unencrypted. Do not disable TLS certificate validation unless you are using StartTLS.

    • (Optional) To use StartTLS, select either Login or Plain from the Use STARTTLS (requires TLS to be disabled) drop-down menu.
      • Login: Credentials are sent as a base64-encoded string.
      • Plain: Credentials are sent in plain text.
    • (Optional) Select Skip TLS verification only if the server certificate cannot be validated against the trusted certificate chain.
    WARNING

    With StartTLS, credentials are passed in plain text to the email server before the session encryption is established.

    Enabling Email Notifications for Policies

    1. In the Alauda Security Service portal, go to Platform Configuration > Policy Management.
    2. Select one or more policies to enable notifications for.
    3. Under Bulk actions, select Enable notification.
    4. In the Enable notification window, choose the Email notifier.
    5. Click Enable.
    INFO
    • Notifications are opt-in. Assign a notifier to each policy to receive alerts.
    • Notifications are sent only once per alert. A new alert is generated for:
      • The first policy violation in a deployment.
      • A runtime-phase policy violation after the previous alert is resolved.

    By following these steps, you can ensure that Alauda Security Service notifies the right people about important security events in your container platform.