@xdev-asia/xdev-knowledge-mcp 1.0.43 → 1.0.45

package/content/series/luyen-thi/luyen-thi-gcp-ml-engineer/chapters/05-phan-5-responsible-ai/lessons/09-bai-9-responsible-ai.md

@@ -0,0 +1,128 @@
+---
+id: 019c9619-lt03-l09
+title: 'Bài 9: Responsible AI & Security'
+slug: bai-9-responsible-ai
+description: >-
+  Google Responsible AI principles. Vertex AI Explainability (SHAP, IG).
+  Fairness indicators. Privacy: differential privacy, federated learning.
+  IAM, VPC-SC, CMEK cho ML workloads.
+duration_minutes: 50
+is_free: true
+video_url: null
+sort_order: 9
+section_title: "Phần 5: Responsible AI & Ôn tập"
+course:
+  id: 019c9619-lt03-7003-c003-lt0300000003
+  title: 'Luyện thi Google Cloud Professional Machine Learning Engineer'
+  slug: luyen-thi-gcp-ml-engineer
+---
+
+<h2 id="responsible-ai"><strong>1. Google's Responsible AI Principles</strong></h2>
+
+<table>
+<thead><tr><th>Principle</th><th>Key Requirement</th></tr></thead>
+<tbody>
+<tr><td><strong>Socially Beneficial</strong></td><td>Benefits society and individuals</td></tr>
+<tr><td><strong>Avoid Unfair Bias</strong></td><td>Test fairness across demographic groups</td></tr>
+<tr><td><strong>Safety</strong></td><td>Test across diverse scenarios, continuous evaluation</td></tr>
+<tr><td><strong>Accountable</strong></td><td>Appropriate human oversight and control</td></tr>
+<tr><td><strong>Privacy Preserving</strong></td><td>Protect training data privacy</td></tr>
+<tr><td><strong>Scientific Excellence</strong></td><td>Rigorous research standards</td></tr>
+<tr><td><strong>Available for Beneficial Uses</strong></td><td>Primary benefit criteria</td></tr>
+</tbody>
+</table>
+
+<h2 id="explainability"><strong>2. Vertex AI Explainability</strong></h2>
+
+<p>Vertex AI Explainability cung cấp feature attribution scores — giải thích tại sao model đưa ra prediction nào đó.</p>
+
+<table>
+<thead><tr><th>Method</th><th>For</th><th>How</th></tr></thead>
+<tbody>
+<tr><td><strong>SHAP (Shapley Values)</strong></td><td>Tabular models</td><td>Game theory: contribution của mỗi feature</td></tr>
+<tr><td><strong>Integrated Gradients (IG)</strong></td><td>Neural networks (image, text)</td><td>Gradient accumulation from baseline to input</td></tr>
+<tr><td><strong>XRAI</strong></td><td>Image models</td><td>Pixel-region attribution (better UX than IG)</td></tr>
+<tr><td><strong>Sampled Shapley</strong></td><td>Large tabular datasets</td><td>Approximate SHAP, faster</td></tr>
+</tbody>
+</table>
+
+<blockquote>
+<p><strong>Exam tip:</strong> "Explain why a loan was denied" → SHAP for tabular models. "Highlight which image regions drove classification" → Integrated Gradients or XRAI. Vertex AI Explainability phải được enable lúc deploy endpoint.</p>
+</blockquote>
+
+<h2 id="fairness"><strong>3. Fairness & Bias Detection</strong></h2>
+
+<table>
+<thead><tr><th>Tool/Concept</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td><strong>Fairness Indicators</strong></td><td>GCP tool: evaluate model fairness metrics across demographic slices</td></tr>
+<tr><td><strong>What-If Tool</strong></td><td>Interactive exploration of model behavior, counterfactuals</td></tr>
+<tr><td><strong>Demographic parity</strong></td><td>Model predicts same rate across demographic groups</td></tr>
+<tr><td><strong>Equal opportunity</strong></td><td>Same recall/TPR across groups</td></tr>
+<tr><td><strong>Data slice evaluation</strong></td><td>Evaluate metrics per gender, race, age in TFX Evaluator</td></tr>
+</tbody>
+</table>
+
+<h2 id="privacy"><strong>4. Privacy Techniques</strong></h2>
+
+<table>
+<thead><tr><th>Technique</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td><strong>Differential Privacy</strong></td><td>Add statistical noise to training data/model, prevents individual data re-identification</td></tr>
+<tr><td><strong>Federated Learning</strong></td><td>Train on distributed data without centralizing raw data — model updates only</td></tr>
+<tr><td><strong>Data Anonymization</strong></td><td>Remove PII before training (Cloud DLP API)</td></tr>
+</tbody>
+</table>
+
+<h2 id="security"><strong>5. Security Controls for ML Workloads</strong></h2>
+
+<table>
+<thead><tr><th>Control</th><th>Purpose</th></tr></thead>
+<tbody>
+<tr><td><strong>IAM roles</strong></td><td>Least-privilege access for ML service accounts</td></tr>
+<tr><td><strong>VPC Service Controls (VPC-SC)</strong></td><td>Security perimeter: prevent data exfiltration from BigQuery, GCS</td></tr>
+<tr><td><strong>CMEK (Customer-Managed Encryption Keys)</strong></td><td>Control encryption keys via Cloud KMS</td></tr>
+<tr><td><strong>Private IP for Vertex AI</strong></td><td>Training and endpoints use private networking</td></tr>
+<tr><td><strong>Cloud Audit Logs</strong></td><td>Who accessed what data, when (Data Access + Admin Activity)</td></tr>
+</tbody>
+</table>
+
+<pre><code class="language-text">VPC Service Controls Perimeter:
+
+┌────── Security Perimeter ─────────┐
+│  BigQuery  │  Cloud Storage       │
+│  Vertex AI │  Cloud KMS           │
+│  Dataflow  │  Secret Manager      │
+└──────────────────────────────────┘
+         │ (no exfiltration outside perimeter)
+         ✗ Unauthorized access blocked
+</code></pre>
+
+<h2 id="practice"><strong>6. Practice Questions</strong></h2>
+
+<p><strong>Q1:</strong> A financial services company deployed a loan approval ML model. Regulators require the company to explain why specific loan applications were denied. Which Vertex AI feature provides per-prediction feature importance scores for tabular models?</p>
+<ul>
+<li>A) Vertex AI Experiments</li>
+<li>B) Vertex AI Explainability with SHAP ✓</li>
+<li>C) Vertex AI Model Monitoring</li>
+<li>D) Fairness Indicators</li>
+</ul>
+<p><em>Explanation: Vertex AI Explainability with Shapley Values (SHAP) assigns an importance score to each feature for each individual prediction, explaining why a specific loan was denied by attributing the model's decision to specific input features like credit_score, income, debt_ratio.</em></p>
+
+<p><strong>Q2:</strong> A healthcare company needs to train ML models on patient data distributed across multiple hospitals. Data privacy regulations prohibit centralizing raw patient records. Which privacy-preserving ML approach should they use?</p>
+<ul>
+<li>A) Differential Privacy with central training</li>
+<li>B) Federated Learning ✓</li>
+<li>C) Data anonymization + BigQuery ML</li>
+<li>D) Cloud DLP de-identification</li>
+</ul>
+<p><em>Explanation: Federated Learning trains models on distributed data without moving raw data to a central location. Each hospital trains locally on its own data; only model updates (gradients) are shared and aggregated. Raw patient records never leave the hospital's environment.</em></p>
+
+<p><strong>Q3:</strong> A company processes sensitive financial data in BigQuery for ML training. They need to prevent data from being moved outside an approved security boundary to unauthorized GCP projects. Which GCP feature should they implement?</p>
+<ul>
+<li>A) Cloud KMS CMEK encryption</li>
+<li>B) VPC Service Controls (VPC-SC) perimeter ✓</li>
+<li>C) IAM role deny policies</li>
+<li>D) Cloud Armor WAF</li>
+</ul>
+<p><em>Explanation: VPC Service Controls creates a security perimeter around GCP services (BigQuery, Cloud Storage, Vertex AI). It prevents data exfiltration by blocking requests that would move data outside the defined perimeter, even from authenticated users. CMEK provides encryption control but doesn't prevent exfiltration.</em></p>

package/content/series/luyen-thi/luyen-thi-gcp-ml-engineer/chapters/05-phan-5-responsible-ai/lessons/10-bai-10-cheat-sheet-chien-luoc-thi.md

@@ -0,0 +1,108 @@
+---
+id: 019c9619-lt03-l10
+title: 'Bài 10: Cheat Sheet & Chiến lược thi GCP MLE'
+slug: bai-10-cheat-sheet-chien-luoc-thi
+description: >-
+  Bảng tổng hợp toàn khoá GCP Professional Machine Learning Engineer.
+  GCP service reference, evaluation metrics, domain weights, và chiến lược thi.
+duration_minutes: 40
+is_free: true
+video_url: null
+sort_order: 10
+section_title: "Phần 5: Responsible AI & Ôn tập"
+course:
+  id: 019c9619-lt03-7003-c003-lt0300000003
+  title: 'Luyện thi Google Cloud Professional Machine Learning Engineer'
+  slug: luyen-thi-gcp-ml-engineer
+---
+
+<h2 id="exam-structure"><strong>1. Cấu Trúc Đề Thi GCP Professional ML Engineer</strong></h2>
+
+<table>
+<thead><tr><th>Item</th><th>Details</th></tr></thead>
+<tbody>
+<tr><td><strong>Total Questions</strong></td><td>60 câu</td></tr>
+<tr><td><strong>Time Limit</strong></td><td>120 phút (2 giờ)</td></tr>
+<tr><td><strong>Passing Score</strong></td><td>~70% (Google không công bố chính xác)</td></tr>
+<tr><td><strong>Format</strong></td><td>Multiple choice, multiple select</td></tr>
+<tr><td><strong>Validity</strong></td><td>2 năm</td></tr>
+<tr><td><strong>Level</strong></td><td>Professional (intermediate to advanced)</td></tr>
+</tbody>
+</table>
+
+<h2 id="domain-weights"><strong>2. Domain Weights</strong></h2>
+
+<table>
+<thead><tr><th>Domain</th><th>Weight</th></tr></thead>
+<tbody>
+<tr><td>1. Architecting low-code ML solutions</td><td>~10%</td></tr>
+<tr><td>2. Collaborate within and across teams to manage data and models</td><td>~20%</td></tr>
+<tr><td>3. Scale prototypes into ML models</td><td>~20%</td></tr>
+<tr><td>4. Serve and scale models</td><td>~20%</td></tr>
+<tr><td>5. Automate & orchestrate ML pipelines</td><td>~20%</td></tr>
+<tr><td>6. Monitor ML solutions</td><td>~10%</td></tr>
+</tbody>
+</table>
+
+<h2 id="service-cheat-sheet"><strong>3. GCP ML Services Cheat Sheet</strong></h2>
+
+<table>
+<thead><tr><th>Task</th><th>GCP Service</th></tr></thead>
+<tbody>
+<tr><td>No-code image classification</td><td>Vertex AI AutoML Image</td></tr>
+<tr><td>SQL-based ML in data warehouse</td><td>BigQuery ML</td></tr>
+<tr><td>Custom TensorFlow/PyTorch training</td><td>Vertex AI Custom Training</td></tr>
+<tr><td>Hyperparameter optimization</td><td>Vertex AI Hyperparameter Tuning (Bayesian)</td></tr>
+<tr><td>Feature consistency training/serving</td><td>Vertex AI Feature Store</td></tr>
+<tr><td>ML workflow orchestration (pipelines)</td><td>Vertex AI Pipelines (KFP)</td></tr>
+<tr><td>Experiment tracking</td><td>Vertex AI Experiments</td></tr>
+<tr><td>Model versioning</td><td>Vertex AI Model Registry</td></tr>
+<tr><td>A/B testing model versions</td><td>Vertex AI Endpoints traffic splitting</td></tr>
+<tr><td>Monitor feature skew/drift</td><td>Vertex AI Model Monitoring</td></tr>
+<tr><td>Explain model predictions</td><td>Vertex AI Explainability (SHAP, IG)</td></tr>
+<tr><td>Real-time event ingestion</td><td>Pub/Sub</td></tr>
+<tr><td>Batch + streaming ETL (unified)</td><td>Dataflow (Apache Beam)</td></tr>
+<tr><td>Spark/Hadoop workloads</td><td>Dataproc</td></tr>
+<tr><td>ML pipeline orchestration (multi-service)</td><td>Cloud Composer (Airflow)</td></tr>
+<tr><td>Natural language analysis (no training)</td><td>Cloud Natural Language API</td></tr>
+<tr><td>Document extraction</td><td>Document AI</td></tr>
+<tr><td>Speech to text</td><td>Cloud Speech-to-Text API</td></tr>
+<tr><td>Prevent data exfiltration</td><td>VPC Service Controls</td></tr>
+<tr><td>Customer-managed encryption</td><td>Cloud KMS (CMEK)</td></tr>
+</tbody>
+</table>
+
+<h2 id="traps"><strong>4. Common Exam Traps</strong></h2>
+
+<table>
+<thead><tr><th>Trap</th><th>Correct Answer</th></tr></thead>
+<tbody>
+<tr><td>"No ML expertise, image classification"</td><td>AutoML Image (not custom training)</td></tr>
+<tr><td>"Train on data already in BigQuery"</td><td>BigQuery ML (not Vertex AI)</td></tr>
+<tr><td>"Features differ at training vs serving"</td><td>Vertex AI Feature Store (not re-training)</td></tr>
+<tr><td>"Trigger retraining when data arrives"</td><td>GCS notification → Eventarc → Vertex AI Pipeline</td></tr>
+<tr><td>"Explain why model rejected application"</td><td>Vertex AI Explainability (SHAP)</td></tr>
+<tr><td>"Train on distributed hospital data"</td><td>Federated Learning</td></tr>
+<tr><td>"Prevent BigQuery data exfiltration"</td><td>VPC Service Controls</td></tr>
+<tr><td>"Compare model performance across runs"</td><td>Vertex AI Experiments</td></tr>
+</tbody>
+</table>
+
+<blockquote>
+<p><strong>Exam tip:</strong> GCP Professional ML Engineer thường hỏi về architecture decisions, không phải API syntax. Key question patterns: "which service BEST fits the requirement", "what is the FIRST step", "which approach requires the LEAST operational overhead". Luôn ưu tiên managed services của GCP khi câu hỏi có "minimal management" hoặc "serverless".</p>
+</blockquote>
+
+<h2 id="study-plan"><strong>5. Kế Hoạch Ôn Tập</strong></h2>
+
+<table>
+<thead><tr><th>Ngày</th><th>Focus</th></tr></thead>
+<tbody>
+<tr><td>Day 1</td><td>Vertex AI full platform: Training, Pipelines, Endpoints, Monitoring</td></tr>
+<tr><td>Day 2</td><td>Data engineering: Pub/Sub, Dataflow, Dataproc, Cloud Composer</td></tr>
+<tr><td>Day 3</td><td>BigQuery ML + Feature Engineering + Feature Store</td></tr>
+<tr><td>Day 4</td><td>Responsible AI: Explainability, Fairness, Privacy, Security</td></tr>
+<tr><td>Day 5</td><td>Practice exam 1 — identify weak areas</td></tr>
+<tr><td>Day 6</td><td>Review weak areas + Practice exam 2</td></tr>
+<tr><td>Day 7</td><td>Cheat sheet review only</td></tr>
+</tbody>
+</table>

package/content/series/luyen-thi/luyen-thi-gcp-ml-engineer/index.md

@@ -6,7 +6,7 @@ description: >-
   Lộ trình ôn tập toàn diện cho kỳ thi Google Cloud Professional Machine Learning
   Engineer. Vertex AI, BigQuery ML, TFX pipeline, MLOps trên GCP.
 
-featured_image: null
+featured_image: images/blog/gcp-ml-engineer-series-banner.png
 level: advanced
 duration_hours: 35
 lesson_count: 10

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/01-kien-truc-kubernetes.md

@@ -0,0 +1,137 @@
+---
+id: kcna-d1-l01
+title: 'Bài 1: Kubernetes Architecture & Core Components'
+slug: 01-kien-truc-kubernetes
+description: >-
+  Control plane vs Worker node. kube-apiserver, etcd, kube-scheduler,
+  controller-manager, kubelet, kube-proxy. Kubernetes objects overview.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 1
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai1-architecture.png" alt="Kubernetes Architecture — Control Plane và Worker Node components" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="overview">1. Tổng quan Kubernetes</h2>
+
+<p><strong>Kubernetes</strong> (K8s) là nền tảng orchestration container mã nguồn mở do Google phát triển, tặng cho CNCF năm 2014. Kubernetes tự động hóa việc triển khai, scaling và quản lý containerized applications.</p>
+
+<blockquote><p><strong>Exam tip:</strong> KCNA Domain 1 chiếm <strong>46%</strong> đề thi. Câu hỏi thường hỏi "Which component is responsible for..." — học thuộc vai trò từng component.</p></blockquote>
+
+<h2 id="architecture">2. Kiến trúc Kubernetes</h2>
+
+<p>Cluster Kubernetes gồm hai loại node: <strong>Control Plane</strong> và <strong>Worker Node</strong>.</p>
+
+<pre><code class="language-text">┌─────────────────────────────────────────────────────────┐
+│                    CONTROL PLANE                        │
+│  ┌──────────────┐  ┌─────────┐  ┌────────────────────┐ │
+│  │ kube-apiserver│  │  etcd   │  │kube-controller-mgr │ │
+│  │  (REST API)  │  │(DB key- │  │ - Node Controller  │ │
+│  │  front door  │  │ value)  │  │ - ReplicaSet Ctrl  │ │
+│  └──────────────┘  └─────────┘  │ - Endpoints Ctrl   │ │
+│  ┌──────────────┐               └────────────────────┘ │
+│  │kube-scheduler│                                       │
+│  │ (assign node)│                                       │
+│  └──────────────┘                                       │
+└─────────────────────────────────────────────────────────┘
+         │              │              │
+┌────────▼──────┐ ┌─────▼──────┐ ┌───▼────────────┐
+│  WORKER NODE 1│ │WORKER NODE 2│ │  WORKER NODE 3 │
+│  ┌──────────┐ │ │ ┌────────┐ │ │  ┌──────────┐  │
+│  │ kubelet  │ │ │ │kubelet │ │ │  │ kubelet  │  │
+│  │kube-proxy│ │ │ │k-proxy │ │ │  │kube-proxy│  │
+│  │ Pod Pod  │ │ │ │Pod Pod │ │ │  │ Pod Pod  │  │
+│  └──────────┘ │ │ └────────┘ │ │  └──────────┘  │
+└───────────────┘ └────────────┘ └────────────────┘</code></pre>
+
+<h2 id="control-plane">3. Control Plane Components</h2>
+
+<table>
+<thead><tr><th>Component</th><th>Vai trò</th><th>Từ khóa exam</th></tr></thead>
+<tbody>
+<tr><td><strong>kube-apiserver</strong></td><td>Cổng vào duy nhất của cluster, xử lý REST API. Mọi communication đều qua đây.</td><td>"single point of truth", "REST API", "authentication &amp; authorization"</td></tr>
+<tr><td><strong>etcd</strong></td><td>Key-value store lưu trữ toàn bộ cluster state. Là database của Kubernetes.</td><td>"cluster state", "consistent", "distributed key-value"</td></tr>
+<tr><td><strong>kube-scheduler</strong></td><td>Xem xét Pod chưa có node và chọn node phù hợp dựa trên resources, constraints.</td><td>"schedule", "assign node", "resource fit"</td></tr>
+<tr><td><strong>kube-controller-manager</strong></td><td>Chạy nhiều controller loops: Node, ReplicaSet, Endpoints, ServiceAccount, v.v.</td><td>"reconciliation loop", "desired state", "controller"</td></tr>
+<tr><td><strong>cloud-controller-manager</strong></td><td>Tích hợp với cloud provider API (AWS, GCP, Azure) — tùy chọn.</td><td>"cloud integration", "LoadBalancer provisioning"</td></tr>
+</tbody>
+</table>
+
+<h2 id="worker-node">4. Worker Node Components</h2>
+
+<table>
+<thead><tr><th>Component</th><th>Vai trò</th><th>Từ khóa exam</th></tr></thead>
+<tbody>
+<tr><td><strong>kubelet</strong></td><td>Agent chạy trên mỗi node, nhận PodSpec từ apiserver và đảm bảo containers chạy đúng.</td><td>"node agent", "PodSpec", "container health"</td></tr>
+<tr><td><strong>kube-proxy</strong></td><td>Quản lý network rules (iptables/IPVS) cho Services. Cho phép network communication đến Pods.</td><td>"networking", "iptables", "Service load balancing"</td></tr>
+<tr><td><strong>Container Runtime</strong></td><td>Software chạy containers: containerd, CRI-O. Docker đã bị deprecated.</td><td>"CRI", "containerd", "run containers"</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> <strong>kubelet</strong> là component duy nhất không chạy trong container — nó là systemd service trực tiếp trên node. Nếu kubelet crash, node sẽ NotReady.</p></blockquote>
+
+<h2 id="objects">5. Kubernetes Objects Cơ Bản</h2>
+
+<p>Mọi thứ trong Kubernetes là <strong>object</strong> — declarative resources được lưu trong etcd.</p>
+
+<table>
+<thead><tr><th>Object</th><th>Mô tả</th><th>Scope</th></tr></thead>
+<tbody>
+<tr><td><strong>Pod</strong></td><td>Unit nhỏ nhất, chứa 1+ containers chia sẻ network và storage</td><td>Namespaced</td></tr>
+<tr><td><strong>Namespace</strong></td><td>Virtual cluster, isolate resources</td><td>Cluster-wide</td></tr>
+<tr><td><strong>Node</strong></td><td>Worker machine (VM hoặc physical)</td><td>Cluster-wide</td></tr>
+<tr><td><strong>Deployment</strong></td><td>Manage stateless app replicas với rolling update</td><td>Namespaced</td></tr>
+<tr><td><strong>Service</strong></td><td>Stable network endpoint cho Pods</td><td>Namespaced</td></tr>
+<tr><td><strong>ConfigMap / Secret</strong></td><td>Configuration data</td><td>Namespaced</td></tr>
+<tr><td><strong>PersistentVolume</strong></td><td>Storage resource</td><td>Cluster-wide</td></tr>
+</tbody>
+</table>
+
+<h2 id="cheatsheet">6. Cheat Sheet — Component → Nhiệm vụ</h2>
+
+<table>
+<thead><tr><th>Câu hỏi</th><th>Trả lời</th></tr></thead>
+<tbody>
+<tr><td>Lưu cluster state ở đâu?</td><td><strong>etcd</strong></td></tr>
+<tr><td>Component nào chọn node cho Pod?</td><td><strong>kube-scheduler</strong></td></tr>
+<tr><td>Component nào chạy trên mỗi worker, quản lý Pods?</td><td><strong>kubelet</strong></td></tr>
+<tr><td>Component nào xử lý tất cả API calls?</td><td><strong>kube-apiserver</strong></td></tr>
+<tr><td>Component nào manage network rules cho Services?</td><td><strong>kube-proxy</strong></td></tr>
+<tr><td>Component nào watch và reconcile desired state?</td><td><strong>kube-controller-manager</strong></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">7. Practice Questions</h2>
+
+<p><strong>Q1:</strong> Which Kubernetes control plane component is responsible for watching newly created Pods that have no node assigned, and selecting a node for them?</p>
+<ul>
+<li>A) kube-apiserver</li>
+<li>B) kube-scheduler ✓</li>
+<li>C) kube-controller-manager</li>
+<li>D) kubelet</li>
+</ul>
+<p><em>Explanation: kube-scheduler watches for unscheduled Pods and assigns them to suitable nodes based on resource requirements, affinity rules, and constraints.</em></p>
+
+<p><strong>Q2:</strong> Where does Kubernetes store all cluster configuration and state?</p>
+<ul>
+<li>A) kube-apiserver memory</li>
+<li>B) /etc/kubernetes/ on each node</li>
+<li>C) etcd ✓</li>
+<li>D) kubelet database</li>
+</ul>
+<p><em>Explanation: etcd is the consistent, highly-available key-value store that serves as the backing store for all Kubernetes cluster data. Backing up etcd = backing up the entire cluster.</em></p>
+
+<p><strong>Q3:</strong> Which component on a Worker Node is responsible for ensuring containers described in PodSpecs are running and healthy?</p>
+<ul>
+<li>A) kube-proxy</li>
+<li>B) Container runtime</li>
+<li>C) kubelet ✓</li>
+<li>D) kube-controller-manager</li>
+</ul>
+<p><em>Explanation: kubelet is the node agent that receives PodSpecs from kube-apiserver and ensures the described containers are running. It reports node/Pod status back to the control plane.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/02-pods-workloads-controllers.md

@@ -0,0 +1,142 @@
+---
+id: kcna-d1-l02
+title: 'Bài 2: Pods, Workloads & Controllers'
+slug: 02-pods-workloads-controllers
+description: >-
+  Pod lifecycle. Deployments, ReplicaSets, StatefulSets, DaemonSets,
+  Jobs, CronJobs. Labels, selectors, annotations.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 2
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai2-pods-workloads.png" alt="Kubernetes Workload Controllers — Deployment, StatefulSet, DaemonSet, Job" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="pod">1. Pod — Đơn vị nhỏ nhất</h2>
+
+<p>Một <strong>Pod</strong> là nhóm 1 hoặc nhiều containers chia sẻ cùng network namespace (cùng IP, port space) và storage volumes. Pod là đơn vị scheduling trong Kubernetes.</p>
+
+<pre><code class="language-text">┌─────────────────────────────────────┐
+│              POD                    │
+│  IP: 10.244.1.5                     │
+│  ┌────────────┐  ┌───────────────┐  │
+│  │  Container │  │  Sidecar      │  │
+│  │   (app)    │  │  (log-agent)  │  │
+│  └────────────┘  └───────────────┘  │
+│       Shared Volume: /var/log       │
+└─────────────────────────────────────┘</code></pre>
+
+<h3 id="pod-lifecycle">Pod Lifecycle</h3>
+
+<table>
+<thead><tr><th>Phase</th><th>Ý nghĩa</th><th>Debug hint</th></tr></thead>
+<tbody>
+<tr><td><strong>Pending</strong></td><td>Chưa được schedule hoặc đang pull image</td><td>Check events: kubectl describe pod</td></tr>
+<tr><td><strong>Running</strong></td><td>Đang chạy, ít nhất 1 container đang active</td><td>Normal state</td></tr>
+<tr><td><strong>Succeeded</strong></td><td>Tất cả containers thoát với code 0</td><td>Job completed</td></tr>
+<tr><td><strong>Failed</strong></td><td>Ít nhất 1 container thoát với lỗi</td><td>kubectl logs --previous</td></tr>
+<tr><td><strong>Unknown</strong></td><td>Không liên lạc được với node</td><td>Node network issue</td></tr>
+<tr><td><strong>CrashLoopBackOff</strong></td><td>Container liên tục crash và restart</td><td>kubectl logs -p</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> <strong>CrashLoopBackOff</strong> không phải Pod phase chính thức — nó là Container state trong Waiting. Câu hỏi hay hỏi "pod phase" vs "container state".</p></blockquote>
+
+<h2 id="workloads">2. Workload Controllers</h2>
+
+<table>
+<thead><tr><th>Controller</th><th>Dùng khi</th><th>Đặc điểm nổi bật</th></tr></thead>
+<tbody>
+<tr><td><strong>Deployment</strong></td><td>Stateless apps (web server, API)</td><td>Rolling update, rollback, ReplicaSet management</td></tr>
+<tr><td><strong>ReplicaSet</strong></td><td>Đảm bảo N replicas (thường dùng qua Deployment)</td><td>Label selector, ít dùng trực tiếp</td></tr>
+<tr><td><strong>StatefulSet</strong></td><td>Stateful apps (database, Kafka, Elasticsearch)</td><td>Stable pod names (web-0, web-1), stable storage, ordered deployment</td></tr>
+<tr><td><strong>DaemonSet</strong></td><td>Agent chạy trên mọi node (logging, monitoring, network)</td><td>1 Pod/node, auto-deploy khi node mới join</td></tr>
+<tr><td><strong>Job</strong></td><td>Batch task chạy đến khi hoàn thành</td><td>completions, parallelism, backoffLimit</td></tr>
+<tr><td><strong>CronJob</strong></td><td>Periodic batch tasks</td><td>cron syntax, concurrencyPolicy, schedule</td></tr>
+</tbody>
+</table>
+
+<h3 id="deployment-vs-statefulset">Deployment vs StatefulSet</h3>
+
+<pre><code class="language-text">DEPLOYMENT (Stateless)          STATEFULSET (Stateful)
+─────────────────────           ────────────────────────
+Pod names: web-a1b2c3            Pod names: web-0, web-1, web-2
+Any order scale up/down          Ordered: web-0 first, then web-1...
+Shared or no storage             Each Pod gets its own PVC
+Pod replaced = new identity      Pod replaced = same identity
+Examples: nginx, api-server      Examples: MySQL, MongoDB, Kafka</code></pre>
+
+<h2 id="labels">3. Labels, Selectors & Annotations</h2>
+
+<table>
+<thead><tr><th>Concept</th><th>Dùng để</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td><strong>Labels</strong></td><td>Tag resources để select và group</td><td><code>app: frontend, env: prod</code></td></tr>
+<tr><td><strong>Selectors</strong></td><td>Query resources theo labels</td><td><code>selector: {app: frontend}</code></td></tr>
+<tr><td><strong>Annotations</strong></td><td>Metadata không dùng để select (build info, contact)</td><td><code>maintainer: team@company.com</code></td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Service tìm Pods qua <strong>selector</strong> matching Pod <strong>labels</strong>. Nếu selector không match, Service sẽ có empty Endpoints → traffic không đến được Pod.</p></blockquote>
+
+<h2 id="daemonset-usecase">4. DaemonSet Use Cases</h2>
+
+<pre><code class="language-text">NODE 1         NODE 2         NODE 3
+┌──────┐       ┌──────┐       ┌──────┐
+│fluentd│      │fluentd│      │fluentd│  ← Log collector DaemonSet
+│ Pod  │       │ Pod  │       │ Pod  │
+├──────┤       ├──────┤       ├──────┤
+│calico│       │calico│       │calico│  ← CNI network plugin DaemonSet
+│ Pod  │       │ Pod  │       │ Pod  │
+└──────┘       └──────┘       └──────┘</code></pre>
+
+<p>DaemonSets thường dùng cho: <strong>Fluentd/Filebeat</strong> (log collection), <strong>Prometheus Node Exporter</strong> (metrics), <strong>kube-proxy</strong> (networking), <strong>CNI plugins</strong> (Calico, Cilium).</p>
+
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Stateful app, cần stable identity?</td><td><strong>StatefulSet</strong></td></tr>
+<tr><td>1 Pod per node (monitoring agent)?</td><td><strong>DaemonSet</strong></td></tr>
+<tr><td>Stateless app với rolling update?</td><td><strong>Deployment</strong></td></tr>
+<tr><td>One-time batch processing?</td><td><strong>Job</strong></td></tr>
+<tr><td>Scheduled batch (nightly backup)?</td><td><strong>CronJob</strong></td></tr>
+<tr><td>Pod naming pattern cho StatefulSet?</td><td><code>name-0, name-1, name-2</code></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">6. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A company needs to deploy a MySQL database on Kubernetes with stable network identity and dedicated storage per replica. Which workload type should they use?</p>
+<ul>
+<li>A) Deployment with PersistentVolumeClaim</li>
+<li>B) StatefulSet ✓</li>
+<li>C) DaemonSet</li>
+<li>D) ReplicaSet</li>
+</ul>
+<p><em>Explanation: StatefulSet provides stable Pod names (mysql-0, mysql-1), ordered deployment/scaling, and each Pod gets its own PVC via volumeClaimTemplates. These properties are essential for databases.</em></p>
+
+<p><strong>Q2:</strong> Which workload ensures exactly one Pod runs on every node in the cluster, including future nodes that join?</p>
+<ul>
+<li>A) Deployment with replicas matching node count</li>
+<li>B) ReplicaSet with nodeSelector</li>
+<li>C) DaemonSet ✓</li>
+<li>D) StatefulSet</li>
+</ul>
+<p><em>Explanation: DaemonSet automatically deploys one Pod per node and watches cluster membership — when a new node joins, the DaemonSet controller immediately creates a Pod on it.</em></p>
+
+<p><strong>Q3:</strong> A Pod is in 'Pending' state. What is the MOST likely cause?</p>
+<ul>
+<li>A) The container application crashed</li>
+<li>B) No node satisfies the scheduling requirements ✓</li>
+<li>C) The liveness probe failed</li>
+<li>D) The container image is corrupted</li>
+</ul>
+<p><em>Explanation: Pending means the Pod has been accepted but hasn't started. Most common reasons: insufficient CPU/memory on nodes, unsatisfied node affinity/taints, or PVC not bound. Check kubectl describe pod events.</em></p>