npm - @xdev-asia/xdev-knowledge-mcp - Versions diffs - 1.0.43 → 1.0.45 - Mend

@xdev-asia/xdev-knowledge-mcp 1.0.43 → 1.0.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/content/series/luyen-thi/luyen-thi-ckad/chapters/05-services-networking/lessons/09-services-ingress.md ADDED Viewed

@@ -0,0 +1,182 @@
+---
+id: ckad-d5-l09
+title: 'Bài 9: Services & Ingress'
+slug: 09-services-ingress
+description: >-
+  Service types: ClusterIP, NodePort, LoadBalancer, ExternalName. kubectl expose.
+  Ingress resources, IngressClass, TLS termination và path-based routing.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 9
+section_title: "Domain 5: Services and Networking (20%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai9-services-ingress.png" alt="Service Types và Ingress Routing — ClusterIP, NodePort, LoadBalancer" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="service-types">1. Service Types</h2>
+<table>
+<thead><tr><th>Type</th><th>Access</th><th>Dùng khi nào</th></tr></thead>
+<tbody>
+<tr><td><strong>ClusterIP</strong></td><td>Internal only (cluster DNS)</td><td>Service-to-service communication (default)</td></tr>
+<tr><td><strong>NodePort</strong></td><td>NodeIP:30000-32767</td><td>Dev/test external access</td></tr>
+<tr><td><strong>LoadBalancer</strong></td><td>Cloud LB external IP</td><td>Production external access (cloud)</td></tr>
+<tr><td><strong>ExternalName</strong></td><td>CNAME DNS alias</td><td>Route to external DNS name</td></tr>
+</tbody>
+</table>
+<pre><code class="language-text">ClusterIP (default):
+apiVersion: v1
+kind: Service
+metadata:
+  name: myapp-svc
+spec:
+  type: ClusterIP     # Can omit — default
+  selector:
+    app: myapp
+  ports:
+  - port: 80          # Service port (what clients connect to)
+    targetPort: 8080  # Container port (where app listens)
+NodePort:
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    nodePort: 30080   # Optional: 30000-32767 range (auto-assigned if omitted)</code></pre>
+<h2 id="kubectl-expose">2. kubectl expose</h2>
+<pre><code class="language-text"># Expose Deployment as ClusterIP (default)
+kubectl expose deployment myapp --port=80 --target-port=8080
+# Expose as NodePort
+kubectl expose deployment myapp --port=80 --target-port=8080 --type=NodePort
+# Expose a Pod
+kubectl expose pod mypod --port=80 --name=mypod-svc
+# Expose existing service quickly and redirect traffic
+kubectl run nginx --image=nginx --port=80 --expose
+# This creates both the Pod AND the ClusterIP Service</code></pre>
+<blockquote><p><strong>Exam tip:</strong> <code>kubectl expose</code> cần selector match với Pod labels. Nếu Deployment đang dùng <code>app: myapp</code>, Service selector phải là <code>app: myapp</code>. Flag <code>--expose</code> khi dùng với <code>kubectl run</code> tạo cả Pod lẫn Service cùng lúc — rất nhanh trong exam.</p></blockquote>
+<h2 id="ingress">3. Ingress</h2>
+<p>Ingress là L7 HTTP/HTTPS routing — một điểm vào, route đến nhiều Services dựa trên host/path.</p>
+<pre><code class="language-text">                     ┌─────────────────────────────────┐
+Internet ──────────►│   Ingress Controller (nginx)     │
+                     │                                  │
+                     │  /api  ──────────► api-service   │
+                     │  /web  ──────────► web-service   │
+                     │  blog.example.com → blog-service │
+                     └─────────────────────────────────┘</code></pre>
+<pre><code class="language-text">apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: myapp-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  ingressClassName: nginx       # Which IngressClass to use
+  tls:
+  - hosts:
+    - myapp.example.com
+    secretName: myapp-tls       # TLS cert stored as Secret
+  rules:
+  - host: myapp.example.com
+    http:
+      paths:
+      - path: /api
+        pathType: Prefix        # Prefix or Exact
+        backend:
+          service:
+            name: api-service
+            port:
+              number: 80
+      - path: /web
+        pathType: Prefix
+        backend:
+          service:
+            name: web-service
+            port:
+              number: 80</code></pre>
+<table>
+<thead><tr><th>pathType</th><th>Hành vi</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td><strong>Exact</strong></td><td>Match chính xác path</td><td><code>/api</code> chỉ match <code>/api</code></td></tr>
+<tr><td><strong>Prefix</strong></td><td>Match path prefix</td><td><code>/api</code> match <code>/api</code>, <code>/api/v1</code>, <code>/api/users</code></td></tr>
+<tr><td><strong>ImplementationSpecific</strong></td><td>Tùy IngressClass</td><td>Depends on controller</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Ingress cần <strong>Ingress Controller</strong> (như nginx, traefik) mới hoạt động — Ingress resource chỉ là config. IngressClass chỉ định controller nào xử lý. Trong exam, IngressClass thường đã được setup sẵn. Nhớ check <code>kubectl get ingressclass</code> để biết tên.</p></blockquote>
+<h2 id="debug-service">4. Debug Service Connectivity</h2>
+<pre><code class="language-text"># Check service exists và endpoints
+kubectl get services
+kubectl get endpoints myapp-svc
+# Test connectivity từ trong cluster (create temp pod)
+kubectl run test --image=busybox --rm -it -- wget -qO- http://myapp-svc
+kubectl run test --image=curlimages/curl --rm -it -- curl http://myapp-svc:80
+# Check if selector matches pods
+kubectl get pods -l app=myapp  # Should match service selector
+kubectl describe service myapp-svc  # Shows Endpoints section
+# If Endpoints is empty: selector mismatch!
+# Check: kubectl get pods --show-labels</code></pre>
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Task</th><th>Command</th></tr></thead>
+<tbody>
+<tr><td>Expose Deployment</td><td><code>kubectl expose deploy/app --port=80 --type=NodePort</code></td></tr>
+<tr><td>Create Pod + Service</td><td><code>kubectl run nginx --image=nginx --port=80 --expose</code></td></tr>
+<tr><td>Check service endpoints</td><td><code>kubectl get endpoints svc-name</code></td></tr>
+<tr><td>Test service từ trong cluster</td><td><code>kubectl run tmp --image=busybox --rm -it -- wget -O- http://svc</code></td></tr>
+<tr><td>Ingress với TLS</td><td>tls: secretName + hosts trong rules</td></tr>
+</tbody>
+</table>
+<h2 id="practice">6. Practice Questions</h2>
+<p><strong>Q1:</strong> A Deployment named "webapp" with selector app=webapp runs on port 8080. You need to create a Service that makes it accessible within the cluster on port 80. Which command creates this correctly?</p>
+<ul>
+<li>A) <code>kubectl expose deployment webapp --port=8080</code></li>
+<li>B) <code>kubectl expose deployment webapp --port=80 --target-port=8080</code> ✓</li>
+<li>C) <code>kubectl create service clusterip webapp --port=8080:80</code></li>
+<li>D) <code>kubectl expose deployment webapp --type=ClusterIP --port=80</code></li>
+</ul>
+<p><em>Explanation: --port=80 is the Service port (what clients use), --target-port=8080 is the container port (where the app listens). Without --target-port, Kubernetes assumes target-port equals port. Option D would work but uses same port 80 for both.</em></p>
+<p><strong>Q2:</strong> An Ingress resource exists but traffic doesn't reach the backend Services. kubectl get endpoints shows the correct Pod IPs. What is the most likely cause?</p>
+<ul>
+<li>A) The Service type should be LoadBalancer instead of ClusterIP</li>
+<li>B) No Ingress Controller is installed or the ingressClassName is wrong ✓</li>
+<li>C) The Ingress needs TLS configured</li>
+<li>D) The pathType should be Exact instead of Prefix</li>
+</ul>
+<p><em>Explanation: Ingress resources are just configuration objects. Without an Ingress Controller, nothing processes the rules. If the ingressClassName doesn't match an IngressClass connected to a running controller, the Ingress is effectively ignored. Always verify kubectl get ingressclass and that the controller Pod is running.</em></p>
+<p><strong>Q3:</strong> Which Service type provides external access using a port in the range 30000-32767 on every cluster node?</p>
+<ul>
+<li>A) ClusterIP</li>
+<li>B) ExternalName</li>
+<li>C) NodePort ✓</li>
+<li>D) LoadBalancer</li>
+</ul>
+<p><em>Explanation: NodePort opens a port in the 30000-32767 range on every Node in the cluster. External traffic can reach the Service via NodeIP:NodePort. This is typically used for development and testing. LoadBalancer provides a cloud load balancer with a stable external IP, which is preferred for production.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/chapters/05-services-networking/lessons/10-networkpolicies-exam-strategy.md ADDED Viewed

@@ -0,0 +1,236 @@
+---
+id: ckad-d5-l10
+title: 'Bài 10: NetworkPolicies & CKAD Exam Strategy'
+slug: 10-networkpolicies-exam-strategy
+description: >-
+  NetworkPolicy ingress/egress rules, default-deny patterns và pod selector.
+  CKAD exam strategy: kubectl shortcuts, --dry-run pattern và time management.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 10
+section_title: "Domain 5: Services and Networking (20%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai10-networkpolicy.png" alt="NetworkPolicy — ingress/egress rules, default-deny và AND/OR logic" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="networkpolicy">1. NetworkPolicy</h2>
+<p>Mặc định, tất cả Pods trong cluster có thể communicate với nhau. NetworkPolicy giới hạn traffic dựa trên labels.</p>
+<pre><code class="language-text">Default: All pods can talk to all pods (no restriction)
+After applying default-deny-all:
+  Pod A ──✗──► Pod B (blocked)
+  Pod A ──✗──► Pod C (blocked)
+After applying allow policy:
+  Pod A (app=frontend) ──✓──► Pod B (app=backend, port 3000)
+  Pod A ──✗──► Pod C (app=database) (still blocked)</code></pre>
+<h2 id="policy-syntax">2. NetworkPolicy Syntax</h2>
+<pre><code class="language-text">apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: backend-policy
+  namespace: production
+spec:
+  podSelector:         # Applies to these pods (empty = all pods in ns)
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Ingress            # Controls inbound traffic
+  - Egress             # Controls outbound traffic
+  ingress:
+  - from:
+    - podSelector:     # Allow from pods with this label
+        matchLabels:
+          app: frontend
+    - namespaceSelector: # Allow from pods in these namespaces
+        matchLabels:
+          name: production
+    ports:
+    - protocol: TCP
+      port: 3000
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: database
+    ports:
+    - protocol: TCP
+      port: 5432</code></pre>
+<blockquote><p><strong>Exam tip — AND vs OR trong NetworkPolicy:</strong><br/>
+<code>from: [{podSelector}, {namespaceSelector}]</code> = OR (pod from either selector)<br/>
+<code>from: [{podSelector + namespaceSelector}]</code> in SAME item = AND (pod matching both)<br/>
+Đây là một trong những câu hỏi trap nhất của CKAD.</p></blockquote>
+<h2 id="common-patterns">3. Common Patterns</h2>
+<pre><code class="language-text">Pattern 1: Default deny all ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}     # Empty = match ALL pods
+  policyTypes:
+  - Ingress
+  # No ingress rules = deny all ingress
+Pattern 2: Default deny all (both ingress + egress)
+---
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  # No rules = deny all
+Pattern 3: Allow all ingress (override deny)
+---
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - {}  # Empty rule = allow all ingress</code></pre>
+<table>
+<thead><tr><th>Pattern</th><th>policyTypes</th><th>Rules</th><th>Effect</th></tr></thead>
+<tbody>
+<tr><td>Deny all ingress</td><td>[Ingress]</td><td>Không có ingress rules</td><td>Block all inbound</td></tr>
+<tr><td>Deny all egress</td><td>[Egress]</td><td>Không có egress rules</td><td>Block all outbound</td></tr>
+<tr><td>Allow specific</td><td>[Ingress]</td><td>ingress rules listed</td><td>Allow matching only</td></tr>
+<tr><td>Allow DNS egress</td><td>[Egress]</td><td>to port 53 (UDP+TCP)</td><td>Allow DNS queries</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> NetworkPolicy chỉ hoạt động nếu CNI plugin hỗ trợ (Calico, Cilium, Weave). <strong>Flannel không hỗ trợ NetworkPolicy!</strong> Ingress/Egress rules là additive — nếu nhiều policies apply đến cùng Pod, Kubernetes OR tất cả rules lại.</p></blockquote>
+<h2 id="exam-strategy">4. CKAD Exam Strategy</h2>
+<pre><code class="language-text">Thông tin exam:
+- 2 giờ, ~15-20 tasks thực hành (performance-based)
+- Mỗi task có value % khác nhau (ưu tiên task cao điểm trước)
+- Pass score: 66%
+- Được dùng docs: kubernetes.io/docs + helm.sh/docs
+Keyboard shortcuts quan trọng:
+  k = kubectl (export alias k=kubectl trong exam, đã set sẵn)
+  CTRL+R = search command history
+  CTRL+A = go to beginning of line</code></pre>
+<pre><code class="language-text">Workflow cho mỗi task:
+1. ĐỌC KỸ task description (đặc biệt để ý namespace!)
+2. Switch context nếu cần:
+   kubectl config use-context cluster-name
+3. Set namespace shortcut:
+   export ns=target-namespace
+   alias kn="kubectl -n $ns"
+4. Dùng --dry-run=client -o yaml để generate YAML:
+   kubectl run pod --image=nginx --dry-run=client -o yaml > pod.yaml
+5. Edit YAML, apply, verify:
+   kubectl apply -f pod.yaml
+   kubectl get pods -n $ns</code></pre>
+<h2 id="dry-run-pattern">5. --dry-run Pattern</h2>
+<pre><code class="language-text"># Generate YAML templates nhanh hơn viết tay:
+Pod:
+  kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
+Deployment:
+  kubectl create deployment myapp --image=nginx --replicas=3 \
+    --dry-run=client -o yaml > deploy.yaml
+Service (ClusterIP):
+  kubectl create service clusterip myapp --tcp=80:8080 \
+    --dry-run=client -o yaml > svc.yaml
+ConfigMap:
+  kubectl create configmap myconfig --from-literal=k=v \
+    --dry-run=client -o yaml > cm.yaml
+Secret:
+  kubectl create secret generic mysecret --from-literal=pass=secret \
+    --dry-run=client -o yaml > secret.yaml
+Job:
+  kubectl create job myjob --image=busybox -- echo hello \
+    --dry-run=client -o yaml > job.yaml
+CronJob:
+  kubectl create cronjob mycron --image=busybox --schedule="*/1 * * * *" \
+    -- echo hello --dry-run=client -o yaml > cron.yaml</code></pre>
+<h2 id="kubectl-shortcuts">6. Essential kubectl Shortcuts</h2>
+<table>
+<thead><tr><th>Lệnh đầy đủ</th><th>Short form</th></tr></thead>
+<tbody>
+<tr><td><code>kubectl get pods</code></td><td><code>k get po</code></td></tr>
+<tr><td><code>kubectl get deployments</code></td><td><code>k get deploy</code></td></tr>
+<tr><td><code>kubectl get services</code></td><td><code>k get svc</code></td></tr>
+<tr><td><code>kubectl get namespaces</code></td><td><code>k get ns</code></td></tr>
+<tr><td><code>kubectl get persistentvolumeclaims</code></td><td><code>k get pvc</code></td></tr>
+<tr><td><code>kubectl get configmaps</code></td><td><code>k get cm</code></td></tr>
+<tr><td><code>kubectl get serviceaccounts</code></td><td><code>k get sa</code></td></tr>
+<tr><td><code>kubectl get networkpolicies</code></td><td><code>k get netpol</code></td></tr>
+<tr><td><code>kubectl describe pod mypod</code></td><td><code>k describe po mypod</code></td></tr>
+<tr><td><code>kubectl delete pod mypod --force</code></td><td><code>k delete po mypod --force</code></td></tr>
+</tbody>
+</table>
+<h2 id="cheatsheet">7. Final CKAD Cheat Sheet</h2>
+<table>
+<thead><tr><th>Domain</th><th>Key Topics</th><th>% Weight</th></tr></thead>
+<tbody>
+<tr><td>App Design & Build</td><td>Multi-container, Init Containers, Jobs, CronJobs, volumes</td><td>20%</td></tr>
+<tr><td>App Deployment</td><td>Rolling updates, rollbacks, Helm, Kustomize</td><td>20%</td></tr>
+<tr><td>App Observability</td><td>Probes (liveness/readiness/startup), logs, debug</td><td>15%</td></tr>
+<tr><td>App Env/Config/Security</td><td>ConfigMaps, Secrets, SecurityContext, SA, Resources, QoS</td><td>25%</td></tr>
+<tr><td>Services & Networking</td><td>Services, Ingress, NetworkPolicies</td><td>20%</td></tr>
+</tbody>
+</table>
+<h2 id="practice">8. Practice Questions</h2>
+<p><strong>Q1:</strong> You apply a NetworkPolicy with podSelector: {} and policyTypes: [Ingress] but no ingress rules. What happens?</p>
+<ul>
+<li>A) All ingress traffic is allowed (no rules = no restriction)</li>
+<li>B) All ingress traffic to ALL pods in the namespace is denied ✓</li>
+<li>C) All pods are deleted</li>
+<li>D) Only external ingress is denied; internal pod-to-pod traffic is allowed</li>
+</ul>
+<p><em>Explanation: podSelector: {} matches ALL pods in the namespace. policyTypes: [Ingress] says this policy controls ingress. Having no ingress rules means zero traffic is allowed. This is the "default deny all ingress" pattern. Pod-to-pod traffic within the cluster is also denied because NetworkPolicy controls all ingress, regardless of source.</em></p>
+<p><strong>Q2:</strong> In a NetworkPolicy, what is the difference between these two from clauses?<br/>
+Clause A: from: [{podSelector: {app: web}}, {namespaceSelector: {env: prod}}]<br/>
+Clause B: from: [{podSelector: {app: web}, namespaceSelector: {env: prod}}]</p>
+<ul>
+<li>A) They are identical</li>
+<li>B) Clause A: allow from pods with app=web OR from any pod in env=prod namespace. Clause B: allow only from pods with app=web AND in env=prod namespace ✓</li>
+<li>C) Clause A uses AND logic, Clause B uses OR logic</li>
+<li>D) Clause B is invalid YAML syntax</li>
+</ul>
+<p><em>Explanation: In NetworkPolicy, when podSelector and namespaceSelector are in SEPARATE list items (separated by -), they use OR logic. When they are in the SAME list item (same indentation level, no -), they use AND logic. This is a critical distinction and a common exam trap.</em></p>
+<p><strong>Q3:</strong> During the CKAD exam, you need to create a Deployment with a specific Pod spec. What is the fastest approach?</p>
+<ul>
+<li>A) Write the entire YAML from memory</li>
+<li>B) Search kubernetes.io docs and copy-paste example YAML</li>
+<li>C) Use kubectl create deployment --dry-run=client -o yaml to generate a template, then edit ✓</li>
+<li>D) Use helm to deploy a chart with default values</li>
+</ul>
+<p><em>Explanation: The --dry-run=client -o yaml pattern generates valid YAML without creating resources. You redirect to a file, edit only the fields that differ, then apply. This is faster than manual YAML authoring and less likely to have syntax errors. Combining with > file.yaml lets you make precise edits.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/index.md ADDED Viewed

@@ -0,0 +1,199 @@
+---
+id: lt-ckad-series-001
+title: "Luyện thi CKAD — Certified Kubernetes Application Developer"
+slug: luyen-thi-ckad
+description: >-
+  Lộ trình ôn tập toàn diện cho kỳ thi CKAD (Certified Kubernetes Application Developer).
+  Bao phủ đầy đủ 5 domain hands-on: App Environment & Security (25%), App Design & Build (20%),
+  App Deployment (20%), Services & Networking (20%), App Observability (15%).
+  10 bài học kèm bài tập thực hành terminal.
+featured_image: images/blog/luyen-thi-ckad-banner.png
+level: intermediate
+duration_hours: 28
+lesson_count: 10
+price: '0.00'
+is_free: true
+view_count: 0
+average_rating: '0.00'
+review_count: 0
+enrollment_count: 0
+meta: null
+published_at: '2026-04-05T10:00:00.000000Z'
+created_at: '2026-04-05T10:00:00.000000Z'
+author:
+  id: 019c9616-d2b4-713f-9b2c-40e2e92a05cf
+  name: Duy Tran
+  avatar: avatars/7e8eb5c6-4cac-455b-a701-4060f085d501.jpeg
+category:
+  id: 019c9616-cat9-7009-a009-000000000009
+  name: Luyện thi chứng chỉ
+  slug: luyen-thi
+tags:
+- name: Kubernetes
+    slug: kubernetes
+- name: CKAD
+    slug: ckad
+- name: CNCF
+    slug: cncf
+- name: Chứng chỉ
+    slug: chung-chi
+- name: DevOps
+    slug: devops
+- name: Linux Foundation
+    slug: linux-foundation
+quiz_slug: ckad
+sections:
+- id: ckad-section-01
+    title: "Domain 1: Application Design and Build (20%)"
+    description: Multi-container pods, init containers, jobs, CronJobs
+    sort_order: 1
+    lessons:
+  - id: ckad-d1-l01
+        title: "Bài 1: Multi-container Pods & Init Containers"
+        slug: 01-multi-container-pods
+        description: >-
+          Sidecar pattern, Ambassador, Adapter patterns.
+          Init containers: sequencing, use cases.
+          Shared volumes giữa containers. Container ports.
+          Ephemeral containers cho debugging.
+        duration_minutes: 60
+        is_free: true
+        sort_order: 1
+        video_url: null
+  - id: ckad-d1-l02
+        title: "Bài 2: Jobs, CronJobs & Resource Management"
+        slug: 02-jobs-cronjobs-resources
+        description: >-
+          Job completions, parallelism, backoffLimit.
+          CronJob schedule syntax, concurrencyPolicy.
+          Resource requests vs limits. QoS classes: Guaranteed, Burstable, BestEffort.
+          LimitRange, ResourceQuota.
+        duration_minutes: 55
+        is_free: true
+        sort_order: 2
+        video_url: null
+- id: ckad-section-02
+    title: "Domain 2: Application Deployment (20%)"
+    description: Rolling updates, rollbacks, Helm, Kustomize, deployment strategies
+    sort_order: 2
+    lessons:
+  - id: ckad-d2-l01
+        title: "Bài 3: Rolling Updates, Rollbacks & Deployment Strategies"
+        slug: 03-rolling-updates-rollbacks
+        description: >-
+          RollingUpdate vs Recreate strategy. maxUnavailable, maxSurge.
+          kubectl rollout history/undo/status. Blue-Green deployment.
+          Canary deployment với labels. Pause/resume rollouts.
+        duration_minutes: 60
+        is_free: true
+        sort_order: 3
+        video_url: null
+  - id: ckad-d2-l02
+        title: "Bài 4: Helm & Kustomize Basics"
+        slug: 04-helm-kustomize
+        description: >-
+          Helm chart structure: Chart.yaml, values.yaml, templates/.
+          helm install/upgrade/rollback. Helm hooks.
+          Kustomize: base + overlays, patches, namePrefix.
+          kubectl apply -k vs helm install.
+        duration_minutes: 55
+        is_free: true
+        sort_order: 4
+        video_url: null
+- id: ckad-section-03
+    title: "Domain 3: Application Observability and Maintenance (15%)"
+    description: Probes, logging, monitoring, debugging
+    sort_order: 3
+    lessons:
+  - id: ckad-d3-l01
+        title: "Bài 5: Probes, Logging & Debugging"
+        slug: 05-probes-logging-debugging
+        description: >-
+          Liveness, Readiness, Startup probes: httpGet, exec, tcpSocket.
+          probe timing: initialDelaySeconds, periodSeconds, failureThreshold.
+          kubectl logs, stern. kubectl exec. Debugging crashed containers.
+          kubectl top (metrics-server). Events và conditions.
+        duration_minutes: 60
+        is_free: true
+        sort_order: 5
+        video_url: null
+- id: ckad-section-04
+    title: "Domain 4: Application Environment, Configuration & Security (25%)"
+    description: ConfigMaps, Secrets, SecurityContext, ServiceAccounts, RBAC
+    sort_order: 4
+    lessons:
+  - id: ckad-d4-l01
+        title: "Bài 6: ConfigMaps & Secrets"
+        slug: 06-configmaps-secrets
+        description: >-
+          ConfigMap: từ literal, file, env. Inject qua env / envFrom / volume.
+          Secret types: Opaque, TLS, dockerconfigjson. Base64 encoding.
+          Secrets as volumes vs env vars. External Secrets overview.
+        duration_minutes: 55
+        is_free: true
+        sort_order: 6
+        video_url: null
+  - id: ckad-d4-l02
+        title: "Bài 7: SecurityContext & Pod Security"
+        slug: 07-securitycontext-pod-security
+        description: >-
+          runAsUser, runAsGroup, fsGroup. readOnlyRootFilesystem.
+          capabilities: add/drop. allowPrivilegeEscalation.
+          Pod Security Standards: Privileged, Baseline, Restricted.
+          ServiceAccount: automountServiceAccountToken, projected volumes.
+        duration_minutes: 60
+        is_free: true
+        sort_order: 7
+        video_url: null
+  - id: ckad-d4-l03
+        title: "Bài 8: Resource Requests, Limits & QoS"
+        slug: 08-resources-qos
+        description: >-
+          CPU (millicores) vs Memory (MiB/GiB) units. requests vs limits.
+          OOMKilled và CPU throttling. QoS classes chi tiết.
+          LimitRange per container/pod. ResourceQuota per namespace.
+          Horizontal Pod Autoscaler (HPA) basics.
+        duration_minutes: 55
+        is_free: true
+        sort_order: 8
+        video_url: null
+- id: ckad-section-05
+    title: "Domain 5: Services & Networking (20%)"
+    description: Services, Ingress, Network Policies
+    sort_order: 5
+    lessons:
+  - id: ckad-d5-l01
+        title: "Bài 9: Services & Ingress"
+        slug: 09-services-ingress
+        description: >-
+          ClusterIP, NodePort, LoadBalancer, ExternalName. Headless service.
+          port vs targetPort vs nodePort. Ingress rules, path types.
+          TLS termination. Ingress class. Service vs Ingress use cases.
+        duration_minutes: 60
+        is_free: true
+        sort_order: 9
+        video_url: null
+  - id: ckad-d5-l02
+        title: "Bài 10: Network Policies & CKAD Exam Strategy"
+        slug: 10-networkpolicies-exam-strategy
+        description: >-
+          NetworkPolicy: podSelector, namespaceSelector, ipBlock.
+          Ingress vs Egress rules. Default deny patterns.
+          CKAD exam tips: imperative kubectl commands, --dry-run=client,
+          time management, bookmarking docs, common task templates.
+        duration_minutes: 60
+        is_free: true
+        sort_order: 10
+        video_url: null