diff --git a/pkg/kubehound/graph/edge/escape_umh_core_pattern.go b/pkg/kubehound/graph/edge/escape_umh_core_pattern.go index 22340ce58..40ee89093 100644 --- a/pkg/kubehound/graph/edge/escape_umh_core_pattern.go +++ b/pkg/kubehound/graph/edge/escape_umh_core_pattern.go @@ -54,32 +54,32 @@ func (e *EscapeCorePattern) Stream(ctx context.Context, store storedb.Provider, }, { "$lookup": bson.M{ - "as": "procMountContainers", - "from": "volumes", - "let": bson.M{ - "rootContainerId": "$container_id", - }, + "as": "procMountContainers", + "from": "volumes", + "foreignField": "pod_id", + "localField": "pod_id", "pipeline": []bson.M{ { "$match": bson.M{ "$and": bson.A{ - bson.M{"$expr": bson.M{ - "$eq": bson.A{ - "$container_id", "$$rootContainerId", - }, + bson.M{"type": shared.VolumeTypeHost}, + bson.M{"source": bson.M{ + "$in": ProcMountList, }}, + bson.M{"runtime.runID": e.runtime.RunID.String()}, + bson.M{"runtime.cluster": e.runtime.ClusterName}, }, - "type": shared.VolumeTypeHost, - "source": bson.M{ - "$in": ProcMountList, - }, - "runtime.runID": e.runtime.RunID.String(), - "runtime.cluster": e.runtime.ClusterName, }, }, }, }, }, + { + "$unwind": bson.M{ + "path": "$procMountContainers", + "preserveNullAndEmptyArrays": false, + }, + }, { "$project": bson.M{ "_id": 1, diff --git a/pkg/kubehound/storage/storedb/index_builder.go b/pkg/kubehound/storage/storedb/index_builder.go index d06e40eef..f7839f5df 100644 --- a/pkg/kubehound/storage/storedb/index_builder.go +++ b/pkg/kubehound/storage/storedb/index_builder.go @@ -123,6 +123,14 @@ func (ib *IndexBuilder) containers(ctx context.Context) error { }, Options: options.Index().SetName("byRun"), }, + { + Keys: bson.D{ + {Key: "k8.securitycontext.runasuser", Value: 1}, + {Key: "runtime.runID", Value: 1}, + {Key: "runtime.cluster", Value: 1}, + }, + Options: options.Index().SetName("byRunAsUser"), + }, } _, err := containers.Indexes().CreateMany(ctx, indices)