K
Q

exposing mail or ssh honeypot in kubernetes cluster

3/12/2020

I'm experimenting with SMTP (mailoney) and SSH honeypots in a Kubernetes cluster to be exposed to the big bad WWW. I cant seem to figure out how to get it working since I'm only beginning to understand Kubernetes just recently.

I've got some config now, for example my mailoney.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mailoney
spec:
  selector:
    matchLabels:
      app: mailoney
  template:
    metadata:
      labels:
        app: mailoney
    spec:
      containers:
      - name: mailoney
        image: dtagdevsec/mailoney:2006
        ports:
        - containerPort: 25

and the service config:

apiVersion: v1
kind: Service
metadata:
  name: ingress-mailoney
  labels:
    name: mailoney
spec:
  type: LoadBalancer
  ports:
    - name: smtp
      port: 25
      targetPort: 25
      protocol: TCP
  selector:
    name: mailoney

But when the loadbalancer is configured, it exposes the services on port >30000, which I know is default behaviour for Kubernetes. But how do I exactly configure the loadbalancer to allow connections on port 25 and 22 respectively and actually letting connections through to the honeypots?

am I overlooking something really obvious?

Any help is appreciated.

-- chr0nk
kubernetes
kubernetes-ingress

Similar Questions

How to expose kubernetes pod to outside IP?
Kubernetes ignores config.json while doing docker pull
How to pull in an already generated ConfigMap to a new pod without regenerating the configmap?
GitLab CI: Spring boot dependecy on another project

2 Answers

3/12/2020

You are probably seeing the node port in the kubectl get service output? That's a red herring, the final LB port will still be 25 as requested. You can confirm this in your cloud provider's systems to be sure. The node port is an intermediary relay between the cloud LB and the internal network.

-- coderanger
Source: StackOverflow
3/13/2020

As @coderanger mentioned, your cloud provider will take care of everything and make the original port available. Reading your service manifest I could notice that your selector is wrong, it should point to app: mailoney instead of name:. I tested it and it's working with the correct selector.

Here is how your manifest should look like:

apiVersion: v1
kind: Service
metadata:
  name: ingress-mailoney
  labels:
    name: mailoney
spec:
  type: LoadBalancer
  ports:
    - name: smtp
      port: 25
      targetPort: 25
      protocol: TCP
  selector:
    app: mailoney

After changing it to app: mailoney I have the following results:

$ kubectl get service ingress-mailoney -o wide
NAME               TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)        AGE   SELECTOR
ingress-mailoney   LoadBalancer   10.31.250.51   104.197.119.16   25:30601/TCP   44m   app=mailoney
$ telnet 104.197.119.16 25
Trying 104.197.119.16...
Connected to 104.197.119.16.
Escape character is '^]'.
220 mailrelay.local ESMTP Exim 4.81 #1 Thu, 29 Jul 2010 05:13:48 -0700

As you can see, it's working as designed. Please let me know if this answer helped you.

-- mWatney
Source: StackOverflow