aquasecurity · josedonizetti · Jan 28, 2026 · geyslan · Jan 29, 2026 · josedonizetti
diff --git a/deploy/helm/tracee/templates/daemonset.yaml b/deploy/helm/tracee/templates/daemonset.yaml
@@ -42,19 +42,48 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-          {{- if or .Values.config.server.httpAddress .Values.config.server.metrics .Values.config.server.healthz }}
+          {{- $hasHttpServer := or .Values.config.server.httpAddress .Values.config.server.metrics .Values.config.server.healthz }}
+          {{- $hasGrpcServer := .Values.config.server.grpcAddress }}
+          {{- $grpcAddress := .Values.config.server.grpcAddress }}
+          {{- $isGrpcTcp := false }}
+          {{- $grpcPort := "" }}
+          {{- if $hasGrpcServer }}
+            {{- $parts := splitList ":" $grpcAddress }}
+            {{- if eq (index $parts 0) "tcp" }}
+              {{- $isGrpcTcp = true }}
+              {{- if gt (len $parts) 2 }}
+                {{- $grpcPort = index $parts 2 }}
+              {{- else if eq (len $parts) 2 }}
+                {{- $grpcPort = index $parts 1 }}
+              {{- end }}
+            {{- end }}
+          {{- end }}
+          {{- if or $hasHttpServer $hasGrpcServer }}
           ports:
+            {{- if $hasHttpServer }}
             - name: metrics
               containerPort: {{ trimPrefix ":" (.Values.config.server.httpAddress | default ":3366") }}
               protocol: TCP
+            {{- end }}
+            {{- if $isGrpcTcp }}
+            - name: grpc
+              containerPort: {{ $grpcPort }}
+              protocol: TCP
+            {{- end }}
           {{- end }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           {{- if .Values.config.server.healthz }}
           readinessProbe:
+            {{- if and $isGrpcTcp $grpcPort }}
+            grpc:
+              port: {{ $grpcPort }}
+              service: ""
+            {{- else if $hasHttpServer }}
             httpGet:
               path: /healthz
               port: {{ trimPrefix ":" (.Values.config.server.httpAddress | default ":3366") }}
+            {{- end }}
           {{- end }}
           volumeMounts:
             - name: tmp-tracee

diff --git a/pkg/cmd/flags/server.go b/pkg/cmd/flags/server.go
@@ -131,6 +131,11 @@ func PrepareServer(serverSlice []string) (ServerConfig, error) {
 		return server, err
 	}
 
+	// Enable gRPC health service if healthz flag is set
+	if server.Healthz && server.grpc != nil {
+		server.grpc.EnableHealthService()
+	}
+
 	return server, nil
 }
 

diff --git a/pkg/cmd/tracee.go b/pkg/cmd/tracee.go
@@ -2,13 +2,15 @@
 
 import (
 	"context"
+	"time"
 
 	"github.com/aquasecurity/tracee/common/errfmt"
 	"github.com/aquasecurity/tracee/common/logger"
 	"github.com/aquasecurity/tracee/pkg/cmd/printer"
 	"github.com/aquasecurity/tracee/pkg/config"
 	tracee "github.com/aquasecurity/tracee/pkg/ebpf"
 	"github.com/aquasecurity/tracee/pkg/ebpf/heartbeat"
+	"github.com/aquasecurity/tracee/pkg/server"
 	"github.com/aquasecurity/tracee/pkg/server/grpc"
 	"github.com/aquasecurity/tracee/pkg/server/http"
 	"github.com/aquasecurity/tracee/pkg/streams"
@@ -33,6 +35,17 @@
 		func(ctx context.Context) {
 			logger.Debugw("Tracee is ready callback")
 
+			// Initialize heartbeat first (shared between HTTP and gRPC servers)
+			// interval defines how often the heartbeat signal should be sent.
+			heartbeatSignalInterval := time.Duration(1 * time.Second)
+			// timeout specifies the maximum duration to wait for a heartbeat acknowledgment
+			heartbeatAckTimeout := time.Duration(2 * time.Second)
+			heartbeat.Init(ctx, heartbeatSignalInterval, heartbeatAckTimeout)
+			// Set callback for InvokeHeartbeat (defined in server package)
+			// The uprobe is attached to this function, so it must always be set
+			heartbeat.GetInstance().SetCallback(server.InvokeHeartbeat)
+			heartbeat.GetInstance().Start()
+
 			// Start HTTP server if configured
 			if r.HTTP != nil {
 				// Enable healthz endpoint with combined readiness check

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -312,7 +312,7 @@
 		SignalSchedProcessFork:     NewTraceProbe(RawTracepoint, "sched:sched_process_fork", "sched_process_fork_signal"),
 		SignalSchedProcessExec:     NewTraceProbe(RawTracepoint, "sched:sched_process_exec", "sched_process_exec_signal"),
 		SignalSchedProcessExit:     NewTraceProbe(RawTracepoint, "sched:sched_process_exit", "sched_process_exit_signal"),
-		SignalHeartbeat:            NewFixedUprobe(Uprobe, "heartbeat_capture", binaryPath, UprobeEventSymbol("github.com/aquasecurity/tracee/pkg/server/http.invokeHeartbeat")),
+		SignalHeartbeat:            NewFixedUprobe(Uprobe, "heartbeat_capture", binaryPath, UprobeEventSymbol("github.com/aquasecurity/tracee/pkg/server.InvokeHeartbeat")),
 		ExecuteFinishedX86:         NewTraceProbe(KretProbe, "__x64_sys_execve", "trace_execute_finished"),
 		ExecuteAtFinishedX86:       NewTraceProbe(KretProbe, "__x64_sys_execveat", "trace_execute_finished"),
 		ExecuteFinishedCompatX86:   NewTraceProbe(KretProbe, "__ia32_compat_sys_execve", "trace_execute_finished"),

diff --git a/pkg/server/grpc/health.go b/pkg/server/grpc/health.go
@@ -0,0 +1,65 @@
+package grpc
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc/health"
+	healthpb "google.golang.org/grpc/health/grpc_health_v1"
+
+	"github.com/aquasecurity/tracee/pkg/ebpf/heartbeat"
+)
+
+// HealthService wraps the standard gRPC health server and integrates with Tracee's heartbeat mechanism
+type HealthService struct {
+	server *health.Server
+}
+
+// NewHealthService creates a new HealthService instance
+func NewHealthService() *HealthService {
+	return &HealthService{
+		server: health.NewServer(),
+	}
+}
+
+// Server returns the underlying health server for registration
+func (h *HealthService) Server() *health.Server {
+	return h.server
+}
+
+// StartMonitor polls heartbeat status and updates gRPC health accordingly.
+// It monitors the heartbeat at regular intervals and updates the health status
+// for all registered services based on whether the heartbeat is alive.
+func (h *HealthService) StartMonitor(ctx context.Context) {
+	// Use empty string for overall server health
+	// This is sufficient for Kubernetes gRPC probes and most health checking scenarios
+	// Individual service health can be added later if needed
+	overallService := ""
+
+	// Initialize overall health as NOT_SERVING until heartbeat confirms health
+	h.server.SetServingStatus(overallService, healthpb.HealthCheckResponse_NOT_SERVING)
+
+	// Poll at the same interval as the heartbeat ack timeout (2s), since that's
+	// the boundary at which IsAlive() state actually changes.
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			// Set overall health to NOT_SERVING on shutdown
+			h.server.SetServingStatus(overallService, healthpb.HealthCheckResponse_NOT_SERVING)
+			return
+		case <-ticker.C:
+			// Poll heartbeat status
+			instance := heartbeat.GetInstance()
+			status := healthpb.HealthCheckResponse_NOT_SERVING
+			if instance != nil && instance.IsAlive() {
+				status = healthpb.HealthCheckResponse_SERVING
+			}
+
+			// Update overall health status
+			h.server.SetServingStatus(overallService, status)
+		}
+	}
+}
diff --git a/pkg/server/grpc/health_test.go b/pkg/server/grpc/health_test.go
@@ -0,0 +1,98 @@
+package grpc
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	healthpb "google.golang.org/grpc/health/grpc_health_v1"
+
+	"github.com/aquasecurity/tracee/pkg/ebpf/heartbeat"
+	"github.com/aquasecurity/tracee/pkg/server"
+)
+
+func TestHealthService_Check(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "tracee-health-tests")
+	require.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	unixSock := tempDir + "/tracee.sock"
+	defer os.Remove(unixSock)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	// Don't cancel context until test is done to avoid closing heartbeat
+	defer cancel()
+
+	// Initialize heartbeat for testing
+	// Use a background context that won't be cancelled to keep heartbeat alive
+	bgCtx := context.Background()
+	heartbeat.Init(bgCtx, 1*time.Second, 2*time.Second)
+	instance := heartbeat.GetInstance()
+	require.NotNil(t, instance)
+	instance.SetCallback(server.InvokeHeartbeat)
+	instance.Start()
+
+	// In tests, manually send pulses since uprobe isn't attached
+	pulseCtx, pulseCancel := context.WithCancel(ctx)
+	defer pulseCancel()
+	go func() {
+		ticker := time.NewTicker(500 * time.Millisecond)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ticker.C:
+				safeSendPulse()
+			case <-pulseCtx.Done():
+				return
+			}
+		}
+	}()
+
+	grpcServer := New("unix", unixSock)
+	grpcServer.EnableHealthService()
+	go grpcServer.Start(ctx, nil, nil)
+
+	// Wait for server to start
+	require.Eventually(t, func() bool {
+		_, err := os.Stat(unixSock)
+		return err == nil
+	}, 2*time.Second, 10*time.Millisecond)
+
+	// Create health client
+	conn, err := grpc.NewClient("unix:"+unixSock, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	require.NoError(t, err)
+	defer conn.Close()
+
+	healthClient := healthpb.NewHealthClient(conn)
+
+	// Send initial pulse immediately
+	safeSendPulse()
+
+	// Wait for health service monitor to poll and update status (polls every 2s)
+	require.Eventually(t, func() bool {
+		resp, err := healthClient.Check(ctx, &healthpb.HealthCheckRequest{})
+		return err == nil && resp.Status == healthpb.HealthCheckResponse_SERVING
+	}, 5*time.Second, 100*time.Millisecond, "health service should become SERVING")
+
+	// Test overall health (empty service name)
+	t.Run("overall health check", func(t *testing.T) {
+		resp, err := healthClient.Check(ctx, &healthpb.HealthCheckRequest{})
+		require.NoError(t, err)
+		assert.Equal(t, healthpb.HealthCheckResponse_SERVING, resp.Status)
+	})
+}
+
+// safeSendPulse safely sends a pulse, recovering from panics if the channel is closed or instance is nil
+func safeSendPulse() {
+	defer func() {
+		recover()
+	}()
+	if instance := heartbeat.GetInstance(); instance != nil {
+		heartbeat.SendPulse()
+	}
+}
diff --git a/pkg/server/grpc/server.go b/pkg/server/grpc/server.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"google.golang.org/grpc"
+	healthpb "google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/keepalive"
 
 	pb "github.com/aquasecurity/tracee/api/v1beta1"
@@ -18,18 +19,23 @@ import (
 )
 
 type Server struct {
-	listener   net.Listener
-	protocol   string
-	listenAddr string
-	server     *grpc.Server
+	listener      net.Listener
+	protocol      string
+	listenAddr    string
+	server        *grpc.Server
+	healthService *HealthService
 }
 
 func New(protocol, listenAddr string) *Server {
 	if protocol == "tcp" {
 		listenAddr = ":" + listenAddr
 	}
 
-	return &Server{listener: nil, protocol: protocol, listenAddr: listenAddr}
+	return &Server{
+		listener:   nil,
+		protocol:   protocol,
+		listenAddr: listenAddr,
+	}
 }
 
 func (s *Server) Start(ctx context.Context, t *tracee.Tracee, e *engine.Engine) {
@@ -67,6 +73,12 @@ func (s *Server) Start(ctx context.Context, t *tracee.Tracee, e *engine.Engine)
 	pb.RegisterDiagnosticServiceServer(grpcServer, &DiagnosticService{tracee: t})
 	pb.RegisterDataSourceServiceServer(grpcServer, &DataSourceService{sigEngine: e})
 
+	// Register health service only if enabled
+	if s.healthService != nil {
+		healthpb.RegisterHealthServer(grpcServer, s.healthService.Server())
+		go s.healthService.StartMonitor(ctx)
+	}
+
 	go func() {
 		logger.Debugw("Starting grpc server", "protocol", s.protocol, "address", s.listenAddr)
 		if err := grpcServer.Serve(s.listener); err != nil {
@@ -97,6 +109,11 @@ func (s *Server) Address() string {
 	return fmt.Sprintf("%s:%s", s.protocol, addr)
 }
 
+// EnableHealthService enables the gRPC health checking service
+func (s *Server) EnableHealthService() {
+	s.healthService = NewHealthService()
+}
+
 func (s *Server) cleanup() {
 	s.server.GracefulStop()
 }
diff --git a/pkg/server/heartbeat.go b/pkg/server/heartbeat.go
@@ -0,0 +1,10 @@
+package server
+
+// InvokeHeartbeat is a no-op function used as a callback for heartbeat.
+// It's instrumented by an uprobe to detect liveness.
+// This function is shared between HTTP and gRPC servers.
+//
+//go:noinline
+func InvokeHeartbeat() {
+	// Intentionally left empty
+}
diff --git a/pkg/server/http/server.go b/pkg/server/http/server.go
@@ -11,15 +11,8 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
 	"github.com/aquasecurity/tracee/common/logger"
-	"github.com/aquasecurity/tracee/pkg/ebpf/heartbeat"
 )
 
-// interval defines how often the heartbeat signal should be sent.
-const heartbeatSignalInterval = time.Duration(1 * time.Second)
-
-// timeout specifies the maximum duration to wait for a heartbeat acknowledgment
-const heartbeatAckTimeout = time.Duration(2 * time.Second)
-
 // Server represents a http server
 type Server struct {
 	hs               *http.Server
@@ -90,14 +83,6 @@ func (s *Server) Start(ctx context.Context) {
 		srvCancel()
 	}()
 
-	// Initialize heartbeat monitoring
-	heartbeatCtx, cancelHeartbeat := context.WithCancel(srvCtx)
-	defer cancelHeartbeat()
-
-	heartbeat.Init(heartbeatCtx, heartbeatSignalInterval, heartbeatAckTimeout)
-	heartbeat.GetInstance().SetCallback(invokeHeartbeat)
-	heartbeat.GetInstance().Start()
-
 	select {
 	case <-ctx.Done():
 		logger.Debugw("Context cancelled, shutting down HTTP server")
@@ -174,8 +159,3 @@ func (s *Server) IsPyroscopeEnabled() bool {
 func (s *Server) Address() string {
 	return s.address
 }
-
-//go:noinline
-func invokeHeartbeat() {
-	// Intentionally left empty
-}