Search code examples
kuberneteskubernetes-ingress

exposing mail or ssh honeypot in kubernetes cluster

I'm experimenting with SMTP (mailoney) and SSH honeypots in a Kubernetes cluster to be exposed to the big bad WWW. I cant seem to figure out how to get it working since I'm only beginning to understand Kubernetes just recently.

I've got some config now, for example my mailoney.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mailoney
spec:
  selector:
    matchLabels:
      app: mailoney
  template:
    metadata:
      labels:
        app: mailoney
    spec:
      containers:
      - name: mailoney
        image: dtagdevsec/mailoney:2006
        ports:
        - containerPort: 25

and the service config:

apiVersion: v1
kind: Service
metadata:
  name: ingress-mailoney
  labels:
    name: mailoney
spec:
  type: LoadBalancer
  ports:
    - name: smtp
      port: 25
      targetPort: 25
      protocol: TCP
  selector:
    name: mailoney

But when the loadbalancer is configured, it exposes the services on port >30000, which I know is default behaviour for Kubernetes. But how do I exactly configure the loadbalancer to allow connections on port 25 and 22 respectively and actually letting connections through to the honeypots?

am I overlooking something really obvious?

Any help is appreciated.

Solution

  • As @coderanger mentioned, your cloud provider will take care of everything and make the original port available. Reading your service manifest I could notice that your selector is wrong, it should point to app: mailoney instead of name:. I tested it and it's working with the correct selector.

    Here is how your manifest should look like:

    apiVersion: v1
kind: Service
metadata:
  name: ingress-mailoney
  labels:
    name: mailoney
spec:
  type: LoadBalancer
  ports:
    - name: smtp
      port: 25
      targetPort: 25
      protocol: TCP
  selector:
    app: mailoney

    After changing it to app: mailoney I have the following results:

    $ kubectl get service ingress-mailoney -o wide
NAME               TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)        AGE   SELECTOR
ingress-mailoney   LoadBalancer   10.31.250.51   104.197.119.16   25:30601/TCP   44m   app=mailoney

    $ telnet 104.197.119.16 25
Trying 104.197.119.16...
Connected to 104.197.119.16.
Escape character is '^]'.
220 mailrelay.local ESMTP Exim 4.81 #1 Thu, 29 Jul 2010 05:13:48 -0700

    As you can see, it's working as designed.