npm - @xdev-asia/xdev-knowledge-mcp - Versions diffs - 1.0.43 → 1.0.45 - Mend

@xdev-asia/xdev-knowledge-mcp 1.0.43 → 1.0.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/03-services-networking-storage.md ADDED Viewed

@@ -0,0 +1,155 @@
+---
+id: kcna-d1-l03
+title: 'Bài 3: Services, Networking & Storage'
+slug: 03-services-networking-storage
+description: >-
+  Service types (ClusterIP, NodePort, LoadBalancer, ExternalName). CoreDNS
+  và service discovery. PersistentVolume, PVC, ConfigMap, Secret.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 3
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai3-services-networking.png" alt="Kubernetes Services và Networking — ClusterIP, NodePort, LoadBalancer" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="services">1. Service Types</h2>
+<p>Pods có IP tạm thời, bị xóa khi restart. <strong>Service</strong> cung cấp stable Virtual IP (ClusterIP) và load-balancing đến một nhóm Pods qua label selector.</p>
+<table>
+<thead><tr><th>Type</th><th>Reachable From</th><th>Use Case</th><th>Real-world Example</th></tr></thead>
+<tbody>
+<tr><td><strong>ClusterIP</strong></td><td>Cluster internal only</td><td>Backend microservices</td><td>Payment service → DB</td></tr>
+<tr><td><strong>NodePort</strong></td><td>External via NodeIP:Port (30000-32767)</td><td>Dev/test access</td><td>Demo app on bare metal</td></tr>
+<tr><td><strong>LoadBalancer</strong></td><td>External via cloud LB</td><td>Production apps on cloud</td><td>AWS/GCP internet traffic</td></tr>
+<tr><td><strong>ExternalName</strong></td><td>CNAME alias for external service</td><td>Integrate external DNS</td><td>legacy-db.company.com</td></tr>
+</tbody>
+</table>
+<pre><code class="language-text">External Traffic
+      │
+      ▼
+[LoadBalancer]          ← cloud provider LB (AWS ELB, GCP)
+      │
+[NodePort :30080]       ← all nodes expose port 30080
+      │
+[ClusterIP 10.96.5.3]  ← virtual IP, iptables/IPVS routing
+      │
+ ┌────┴────┐
+[Pod A] [Pod B]        ← matched by label selector</code></pre>
+<blockquote><p><strong>Exam tip:</strong> <strong>NodePort</strong> tự động tạo thêm <strong>ClusterIP</strong>. <strong>LoadBalancer</strong> tự động tạo thêm <strong>NodePort + ClusterIP</strong>. Mỗi type kế thừa type nhỏ hơn.</p></blockquote>
+<h2 id="coredns">2. CoreDNS & Service Discovery</h2>
+<p><strong>CoreDNS</strong> là DNS server mặc định trong Kubernetes cluster. Mỗi Service được đăng ký DNS record tự động.</p>
+<pre><code class="language-text">DNS format: {service}.{namespace}.svc.cluster.local
+Ví dụ:
+  Service "api" trong namespace "production":
+  → api.production.svc.cluster.local
+  → api.production.svc
+  → api.production
+  → api  (chỉ trong cùng namespace)</code></pre>
+<table>
+<thead><tr><th>DNS Query</th><th>Resolves To</th><th>Works From</th></tr></thead>
+<tbody>
+<tr><td><code>api</code></td><td>Service ClusterIP</td><td>Same namespace only</td></tr>
+<tr><td><code>api.production</code></td><td>Service ClusterIP</td><td>Any namespace</td></tr>
+<tr><td><code>api.production.svc.cluster.local</code></td><td>Service ClusterIP</td><td>Any namespace (FQDN)</td></tr>
+</tbody>
+</table>
+<h2 id="storage">3. Storage: PV, PVC, StorageClass</h2>
+<pre><code class="language-text">Storage lifecycle:
+                    STATIC                     DYNAMIC
+                    ─────                      ───────
+  Admin creates  → PersistentVolume     StorageClass (provision template)
+  App requests   → PersistentVolumeClaim → SC auto-provisions PV
+  Pod mounts     → PVC as volume</code></pre>
+<table>
+<thead><tr><th>Concept</th><th>Vai trò</th><th>Ai tạo</th></tr></thead>
+<tbody>
+<tr><td><strong>PersistentVolume (PV)</strong></td><td>Tài nguyên storage thực tế (NFS, EBS, GCE Disk)</td><td>Admin hoặc dynamic provisioner</td></tr>
+<tr><td><strong>PersistentVolumeClaim (PVC)</strong></td><td>Request storage với size + access mode</td><td>Developer / App</td></tr>
+<tr><td><strong>StorageClass</strong></td><td>Template tự động tạo PV khi có PVC</td><td>Admin</td></tr>
+</tbody>
+</table>
+<h3 id="access-modes">Access Modes</h3>
+<table>
+<thead><tr><th>Mode</th><th>Abbrev</th><th>Ý nghĩa</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td>ReadWriteOnce</td><td><strong>RWO</strong></td><td>1 node đọc+ghi</td><td>EBS volume, local disk</td></tr>
+<tr><td>ReadOnlyMany</td><td><strong>ROX</strong></td><td>Nhiều nodes đọc</td><td>Static files on NFS</td></tr>
+<tr><td>ReadWriteMany</td><td><strong>RWX</strong></td><td>Nhiều nodes đọc+ghi</td><td>NFS, EFS, GlusterFS</td></tr>
+<tr><td>ReadWriteOncePod</td><td><strong>RWOP</strong></td><td>Chỉ 1 Pod (v1.22+)</td><td>Exclusive access needed</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> AWS EBS chỉ hỗ trợ <strong>RWO</strong>. Nếu câu hỏi yêu cầu nhiều Pods ghi đồng thời, cần dùng NFS (RWX). StatefulSet thường dùng RWO với mỗi Pod có PVC riêng.</p></blockquote>
+<h2 id="configmap-secret">4. ConfigMap & Secret</h2>
+<table>
+<thead><tr><th>Resource</th><th>Dùng cho</th><th>Encoding</th><th>Inject vào Pod</th></tr></thead>
+<tbody>
+<tr><td><strong>ConfigMap</strong></td><td>Config không nhạy cảm (URLs, flags, env files)</td><td>Plain text</td><td>Env var, volume file, CLI args</td></tr>
+<tr><td><strong>Secret</strong></td><td>Data nhạy cảm (passwords, API keys, TLS certs)</td><td>Base64 (NOT encrypted by default)</td><td>Env var (không khuyến khích), volume mount</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Secret chỉ là base64 encoded, <strong>KHÔNG phải encrypted</strong>. Để encrypt Secret at rest, cần bật <strong>Encryption Configuration</strong> ở API Server. Câu hỏi hay dùng "encrypted" như distractor sai.</p></blockquote>
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Expose app ra ngoài cluster trên cloud?</td><td><strong>LoadBalancer</strong> (hoặc Ingress)</td></tr>
+<tr><td>DNS name cho Service "db" trong ns "backend"?</td><td><code>db.backend.svc.cluster.local</code></td></tr>
+<tr><td>Cần storage shared giữa nhiều Pods?</td><td>PV với access mode <strong>RWX</strong></td></tr>
+<tr><td>Tự động provision storage khi deploy?</td><td><strong>StorageClass</strong> + PVC</td></tr>
+<tr><td>Secret có bị encrypt by default?</td><td><strong>Không</strong>, chỉ base64</td></tr>
+</tbody>
+</table>
+<h2 id="practice">6. Practice Questions</h2>
+<p><strong>Q1:</strong> A developer wants to access a backend database Service named "orders-db" from a different namespace called "frontend". Which DNS name should they use?</p>
+<ul>
+<li>A) orders-db</li>
+<li>B) orders-db.default.svc.cluster.local</li>
+<li>C) orders-db.backend.svc.cluster.local ✓</li>
+<li>D) backend.orders-db.cluster.local</li>
+</ul>
+<p><em>Explanation: Cross-namespace DNS requires the full format: {service}.{namespace}.svc.cluster.local. Short name "orders-db" only works within the same namespace.</em></p>
+<p><strong>Q2:</strong> Which Service type automatically creates a ClusterIP AND a NodePort?</p>
+<ul>
+<li>A) ClusterIP</li>
+<li>B) NodePort</li>
+<li>C) LoadBalancer ✓</li>
+<li>D) ExternalName</li>
+</ul>
+<p><em>Explanation: LoadBalancer is a superset — it creates ClusterIP + NodePort + cloud load balancer. NodePort includes ClusterIP, but ClusterIP is standalone with no external access.</em></p>
+<p><strong>Q3:</strong> A Secret contains a database password. A developer claims the password is "encrypted". Is this claim accurate?</p>
+<ul>
+<li>A) Yes, Kubernetes Secrets are encrypted with AES</li>
+<li>B) No, Secrets are only base64 encoded unless Encryption Configuration is enabled ✓</li>
+<li>C) Yes, Secrets are encrypted using etcd's built-in encryption</li>
+<li>D) No, Secrets are stored in plain text</li>
+</ul>
+<p><em>Explanation: By default, Secrets are stored as base64-encoded strings in etcd — which is NOT encryption. Administrators must configure EncryptionConfiguration on the API server to enable encryption at rest.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/04-rbac-security.md ADDED Viewed

@@ -0,0 +1,137 @@
+---
+id: kcna-d1-l04
+title: 'Bài 4: RBAC & Kubernetes Security'
+slug: 04-rbac-security
+description: >-
+  Role-Based Access Control (RBAC), ServiceAccounts, Network Policies,
+  Pod Security Standards và Security Context. Bảo mật Kubernetes cluster.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 4
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai4-rbac.png" alt="RBAC Authorization Model — Subject, RoleBinding, Role, Rules" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="rbac">1. RBAC — Role-Based Access Control</h2>
+<p><strong>RBAC</strong> kiểm soát ai (User, Group, ServiceAccount) được làm gì (verbs) với tài nguyên nào (resources) trong namespace hoặc cluster.</p>
+<pre><code class="language-text">RBAC Flow:
+Subject (Who?)    →    Role/ClusterRole (What?)    →    RoleBinding (Links)
+  User "alice"          Role "pod-reader"              RoleBinding
+  ServiceAccount        - get pods                     alice → pod-reader
+  Group "devs"          - list pods                    (in namespace "dev")
+                        - watch pods</code></pre>
+<table>
+<thead><tr><th>Object</th><th>Scope</th><th>Dùng khi</th></tr></thead>
+<tbody>
+<tr><td><strong>Role</strong></td><td>Namespace</td><td>Quyền trong 1 namespace</td></tr>
+<tr><td><strong>ClusterRole</strong></td><td>Cluster-wide</td><td>Quyền trên toàn cluster hoặc non-namespaced resources (nodes)</td></tr>
+<tr><td><strong>RoleBinding</strong></td><td>Namespace</td><td>Gán Role or ClusterRole cho Subject trong 1 namespace</td></tr>
+<tr><td><strong>ClusterRoleBinding</strong></td><td>Cluster-wide</td><td>Gán ClusterRole cho Subject trên toàn cluster</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Có thể dùng <strong>RoleBinding</strong> để gán <strong>ClusterRole</strong> vào 1 namespace cụ thể — đây là cách tái sử dụng permission template mà không cấp quyền toàn cluster. Rất hay xuất hiện trong exam!</p></blockquote>
+<h2 id="serviceaccounts">2. ServiceAccounts</h2>
+<p>Mỗi Pod có thể gắn một <strong>ServiceAccount</strong>. Token của ServiceAccount được mount tự động vào <code>/var/run/secrets/kubernetes.io/serviceaccount/</code>. Pods dùng token này để gọi Kubernetes API.</p>
+<pre><code class="language-text">Default ServiceAccount flow:
+  Pod → ServiceAccount → RBAC Role → API Server
+Ví dụ: Prometheus cần đọc Pod metrics:
+  ServiceAccount: prometheus-sa
+  ClusterRole: pod-metrics-reader (verbs: get, list, watch)
+  ClusterRoleBinding: prometheus-sa → pod-metrics-reader</code></pre>
+<h2 id="network-policies">3. Network Policies</h2>
+<p>Mặc định, tất cả Pods trong cluster có thể communicate với nhau. <strong>NetworkPolicy</strong> cho phép giới hạn traffic ingress/egress dựa trên Pod selector, namespace selector, hoặc IP block.</p>
+<pre><code class="language-text">❌ Default (no NetworkPolicy): All pods talk to all pods
+✅ With NetworkPolicy:
+   frontend → backend (allowed)
+   frontend → database (BLOCKED)
+   backend → database (allowed)</code></pre>
+<blockquote><p><strong>Exam tip:</strong> NetworkPolicy chỉ có tác dụng khi <strong>CNI plugin hỗ trợ</strong> (Calico, Cilium, Weave). Flannel không hỗ trợ NetworkPolicy. Nếu không có policy nào → allow all. Nếu có ít nhất 1 policy → default deny cho traffic được select.</p></blockquote>
+<h2 id="pod-security">4. Pod Security Standards</h2>
+<p>Kubernetes định nghĩa 3 <strong>Pod Security Standards</strong> (thay thế PodSecurityPolicy từ v1.25):</p>
+<table>
+<thead><tr><th>Profile</th><th>Mức độ hạn chế</th><th>Dùng cho</th></tr></thead>
+<tbody>
+<tr><td><strong>Privileged</strong></td><td>Không hạn chế</td><td>System/infra workloads (kube-system)</td></tr>
+<tr><td><strong>Baseline</strong></td><td>Ngăn escalation rõ ràng</td><td>Workloads thông thường</td></tr>
+<tr><td><strong>Restricted</strong></td><td>Tuân thủ hardening tối đa</td><td>Security-sensitive apps</td></tr>
+</tbody>
+</table>
+<h2 id="security-context">5. SecurityContext</h2>
+<p><strong>SecurityContext</strong> cấu hình bảo mật ở cấp Pod hoặc Container:</p>
+<table>
+<thead><tr><th>Security setting</th><th>Ý nghĩa</th></tr></thead>
+<tbody>
+<tr><td><code>runAsNonRoot: true</code></td><td>Container không được chạy với UID 0</td></tr>
+<tr><td><code>runAsUser: 1000</code></td><td>Chạy container với UID 1000</td></tr>
+<tr><td><code>readOnlyRootFilesystem: true</code></td><td>Filesystem read-only (write phải dùng volume)</td></tr>
+<tr><td><code>allowPrivilegeEscalation: false</code></td><td>Không cho process leo thang đặc quyền</td></tr>
+<tr><td><code>capabilities.drop: ["ALL"]</code></td><td>Bỏ tất cả Linux capabilities</td></tr>
+</tbody>
+</table>
+<h2 id="cheatsheet">6. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Pod cần gọi K8s API, dùng gì?</td><td><strong>ServiceAccount</strong></td></tr>
+<tr><td>Giới hạn quyền user trong 1 namespace?</td><td><strong>Role</strong> + <strong>RoleBinding</strong></td></tr>
+<tr><td>Giới hạn network traffic giữa Pods?</td><td><strong>NetworkPolicy</strong></td></tr>
+<tr><td>NetworkPolicy cần gì để hoạt động?</td><td>CNI plugin hỗ trợ (Calico, Cilium)</td></tr>
+<tr><td>Privileged → Restricted, Pod Security cần?</td><td><strong>Pod Security Admission</strong></td></tr>
+</tbody>
+</table>
+<h2 id="practice">7. Practice Questions</h2>
+<p><strong>Q1:</strong> An application Pod needs to access the Kubernetes API to list Pods in its own namespace. What should a cluster administrator create?</p>
+<ul>
+<li>A) ClusterRole with ClusterRoleBinding for all namespaces</li>
+<li>B) ServiceAccount with Role (list pods) and RoleBinding ✓</li>
+<li>C) Service with type LoadBalancer for API Server</li>
+<li>D) ConfigMap with API Server credentials</li>
+</ul>
+<p><em>Explanation: The Pod needs a ServiceAccount, a Role granting "list pods" in its namespace, and a RoleBinding linking them. Using ClusterRole would over-grant access across all namespaces.</em></p>
+<p><strong>Q2:</strong> A NetworkPolicy is applied to a Pod. What is the default behavior for traffic not explicitly matched by any rule?</p>
+<ul>
+<li>A) All traffic is allowed (default allow)</li>
+<li>B) Traffic is logged but not blocked</li>
+<li>C) Traffic that matches the Pod selector is denied; all other traffic passes ✓</li>
+<li>D) All traffic to/from the Pod is denied</li>
+</ul>
+<p><em>Explanation: Once a NetworkPolicy selects a Pod (via podSelector), all traffic not explicitly allowed is denied for that policy type (ingress/egress). Non-selected Pods remain unaffected and have full connectivity.</em></p>
+<p><strong>Q3:</strong> Which Pod Security Standard profile should be used for a system-level component that requires privileged access to the host?</p>
+<ul>
+<li>A) Restricted</li>
+<li>B) Baseline</li>
+<li>C) Privileged ✓</li>
+<li>D) SystemAdmin</li>
+</ul>
+<p><em>Explanation: The Privileged profile places no restrictions on Pods, allowing all capabilities. It's intended for system/infrastructure components. Baseline prevents known privilege escalations; Restricted enforces maximum hardening.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/02-container-orchestration/lessons/05-container-runtimes-oci.md ADDED Viewed

@@ -0,0 +1,137 @@
+---
+id: kcna-d2-l05
+title: 'Bài 5: Container Runtimes & OCI Standards'
+slug: 05-container-runtimes-oci
+description: >-
+  OCI (Open Container Initiative), container runtime interface (CRI).
+  Docker, containerd, CRI-O. Image layers, registries và image lifecycle.
+duration_minutes: 50
+is_free: true
+video_url: null
+sort_order: 5
+section_title: "Domain 2: Container Orchestration (22%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai5-oci-runtimes.png" alt="OCI Container Runtime Stack — CRI, containerd, runc" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="oci">1. OCI — Open Container Initiative</h2>
+<p><strong>OCI</strong> là tổ chức mở (thuộc Linux Foundation) định nghĩa các chuẩn mở cho containers:</p>
+<table>
+<thead><tr><th>Specification</th><th>Định nghĩa</th><th>Ví dụ implement</th></tr></thead>
+<tbody>
+<tr><td><strong>OCI Image Spec</strong></td><td>Định dạng container image (layers, manifest)</td><td>Docker image, OCI image</td></tr>
+<tr><td><strong>OCI Runtime Spec</strong></td><td>Cách chạy container từ image (lifecycle, filesystem)</td><td>runc, crun, kata-containers</td></tr>
+<tr><td><strong>OCI Distribution Spec</strong></td><td>API để push/pull image từ registry</td><td>DockerHub, ECR, GCR</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> OCI standards đảm bảo <strong>interoperability</strong>: image build bằng Docker có thể chạy với containerd hoặc CRI-O mà không cần thay đổi. KCNA thường hỏi về vai trò của OCI trong cloud native ecosystem.</p></blockquote>
+<h2 id="container-runtime">2. Container Runtime Interface (CRI)</h2>
+<p>Kubernetes không giao tiếp trực tiếp với Docker hay containerd. Thay vào đó, kubelet dùng <strong>CRI (Container Runtime Interface)</strong> — một gRPC API chuẩn.</p>
+<pre><code class="language-text">Kubernetes Architecture (Runtime Layer):
+  kubelet
+     │ CRI (gRPC)
+     ├─── containerd ─── runc ─── container
+     ├─── CRI-O      ─── runc ─── container
+     └─── (Docker)   ─── (deprecated v1.24+)
+  OCI Runtime (runc, crun):
+  - Đọc OCI runtime bundle
+  - Gọi Linux kernel (namespaces, cgroups)
+  - Tạo container process</code></pre>
+<h2 id="runtimes-comparison">3. Container Runtimes Comparison</h2>
+<table>
+<thead><tr><th>Runtime</th><th>Loại</th><th>Đặc điểm</th><th>Dùng trong</th></tr></thead>
+<tbody>
+<tr><td><strong>containerd</strong></td><td>High-level (CRI)</td><td>Nhẹ, stable, CNCF graduated</td><td>Default Kubernetes 1.24+</td></tr>
+<tr><td><strong>CRI-O</strong></td><td>High-level (CRI)</td><td>Tối ưu cho Kubernetes, lightweight</td><td>OpenShift, Kubernetes</td></tr>
+<tr><td><strong>Docker Engine</strong></td><td>High-level (non-CRI)</td><td>Deprecated từ K8s 1.24 (dùng dockershim)</td><td>Dev environments</td></tr>
+<tr><td><strong>runc</strong></td><td>Low-level (OCI)</td><td>Reference OCI implementation</td><td>Backend của containerd/CRI-O</td></tr>
+<tr><td><strong>gVisor (runsc)</strong></td><td>Low-level (sandbox)</td><td>Security sandbox, intercepts syscalls</td><td>GKE sandbox, untrusted workloads</td></tr>
+<tr><td><strong>Kata Containers</strong></td><td>Low-level (VM-based)</td><td>VM isolation per container</td><td>Multi-tenant, high security</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Docker bị deprecated như Kubernetes runtime từ v1.24, nhưng Docker images (OCI-compatible) vẫn chạy được trên containerd/CRI-O. "Docker deprecated" ≠ "Docker images deprecated".</p></blockquote>
+<h2 id="image-layers">4. Container Image Layers</h2>
+<pre><code class="language-text">Layer architecture:
+┌──────────────────────────────┐
+│  Layer 4: App code (5 MB)    │  ← Writeable (container layer)
+├──────────────────────────────┤
+│  Layer 3: npm packages       │  ← Read-only
+├──────────────────────────────┤
+│  Layer 2: Node.js runtime    │  ← Read-only
+├──────────────────────────────┤
+│  Layer 1: Ubuntu base image  │  ← Read-only (shared across images)
+└──────────────────────────────┘
+Cache benefit: nếu Layer 1-2 giống nhau, chỉ download Layer 3-4</code></pre>
+<h2 id="registries">5. Container Registries</h2>
+<table>
+<thead><tr><th>Registry</th><th>Provider</th><th>Đặc điểm</th></tr></thead>
+<tbody>
+<tr><td>Docker Hub</td><td>Docker Inc.</td><td>Public default, rate-limited pulls</td></tr>
+<tr><td>ECR (Elastic Container Registry)</td><td>AWS</td><td>Private, IAM integrated</td></tr>
+<tr><td>GCR / Artifact Registry</td><td>GCP</td><td>Private, Workload Identity</td></tr>
+<tr><td>GHCR (GitHub Container Registry)</td><td>GitHub</td><td>Package-linked, Actions CI</td></tr>
+<tr><td>Harbor</td><td>CNCF (open source)</td><td>Self-hosted, vulnerability scanning</td></tr>
+</tbody>
+</table>
+<h2 id="cheatsheet">6. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>OCI định nghĩa chuẩn gì?</td><td>Image Spec, Runtime Spec, Distribution Spec</td></tr>
+<tr><td>Default runtime K8s 1.24+?</td><td><strong>containerd</strong></td></tr>
+<tr><td>CRI là gì?</td><td>Container Runtime Interface — gRPC API giữa kubelet và runtime</td></tr>
+<tr><td>Docker deprecated trong K8s?</td><td><strong>Từ v1.24</strong> (dockershim removed)</td></tr>
+<tr><td>Runtime cho untrusted workloads?</td><td><strong>gVisor</strong> hoặc <strong>Kata Containers</strong></td></tr>
+</tbody>
+</table>
+<h2 id="practice">7. Practice Questions</h2>
+<p><strong>Q1:</strong> A Kubernetes cluster uses containerd as the container runtime. A developer pushes a Docker image to Docker Hub. Can this image run on the cluster?</p>
+<ul>
+<li>A) No, Docker images are incompatible with containerd</li>
+<li>B) Yes, because Docker images follow OCI Image Spec and are compatible ✓</li>
+<li>C) Only if the cluster installs a Docker compatibility shim</li>
+<li>D) No, containerd only supports images from CNCF registries</li>
+</ul>
+<p><em>Explanation: Docker images follow the OCI Image Specification, making them interoperable with any OCI-compliant runtime including containerd and CRI-O. The "Docker deprecated" refers to the runtime, not the image format.</em></p>
+<p><strong>Q2:</strong> What is the primary purpose of the Container Runtime Interface (CRI)?</p>
+<ul>
+<li>A) Define image layer formats</li>
+<li>B) Provide a gRPC API for kubelet to communicate with container runtimes ✓</li>
+<li>C) Manage container image distribution between registries</li>
+<li>D) Schedule containers across cluster nodes</li>
+</ul>
+<p><em>Explanation: CRI gives kubelet a stable API to interact with different runtimes (containerd, CRI-O) without knowing implementation details. This decoupling enables switching runtimes without changing kubelet code.</em></p>
+<p><strong>Q3:</strong> Which container runtime provides VM-level isolation per container for high-security multi-tenant workloads?</p>
+<ul>
+<li>A) containerd</li>
+<li>B) CRI-O</li>
+<li>C) Kata Containers ✓</li>
+<li>D) runc</li>
+</ul>
+<p><em>Explanation: Kata Containers runs each container inside a lightweight VM, providing stronger isolation than standard Linux namespace-based containers. gVisor provides user-space isolation via syscall interception, also strong but different approach.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/02-container-orchestration/lessons/06-orchestration-patterns.md ADDED Viewed

@@ -0,0 +1,147 @@
+---
+id: kcna-d2-l06
+title: 'Bài 6: Container Orchestration Patterns'
+slug: 06-orchestration-patterns
+description: >-
+  Scheduling, auto-scaling (HPA, VPA, Cluster Autoscaler), resource requests
+  và limits, namespaces, multi-tenancy và Kubernetes upgrade strategies.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 6
+section_title: "Domain 2: Container Orchestration (22%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai6-scheduling.png" alt="Kubernetes Scheduling Pipeline và Autoscaling (HPA, VPA, Cluster Autoscaler)" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="scheduling">1. Kubernetes Scheduling</h2>
+<p>Khi Pod được tạo, <strong>kube-scheduler</strong> chọn node phù hợp qua 2 bước:</p>
+<pre><code class="language-text">Scheduling Pipeline:
+  New Pod
+    │
+    ▼
+  1. FILTERING: Loại bỏ nodes không đủ điều kiện
+     - Không đủ CPU/Memory
+     - Taint không match Toleration
+     - Node Affinity không match
+     │
+    ▼
+  2. SCORING: Chấm điểm nodes còn lại
+     - Resource balance
+     - Affinity preferences
+     │
+    ▼
+  Bind Pod → Highest score Node</code></pre>
+<table>
+<thead><tr><th>Cơ chế</th><th>Mục đích</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td><strong>NodeSelector</strong></td><td>Schedule Pod lên node có label</td><td><code>disktype: ssd</code></td></tr>
+<tr><td><strong>Affinity/Anti-affinity</strong></td><td>Preferred/required node rules</td><td>Prefer zone-a, avoid same node as another pod</td></tr>
+<tr><td><strong>Taints & Tolerations</strong></td><td>Repel Pods trừ khi Pod có Toleration</td><td>Node dành riêng cho GPU workloads</td></tr>
+<tr><td><strong>Resource requests</strong></td><td>Minimum CPU/memory để schedule</td><td>requests.cpu: 500m</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> <strong>Taints</strong> áp lên Node (repel pods). <strong>Tolerations</strong> áp lên Pod (accept taint). Taint có effect: <strong>NoSchedule</strong> (không schedule mới), <strong>PreferNoSchedule</strong> (ưu tiên không schedule), <strong>NoExecute</strong> (evict pods đang chạy).</p></blockquote>
+<h2 id="resources">2. Resource Requests & Limits</h2>
+<table>
+<thead><tr><th>Setting</th><th>Ảnh hưởng đến</th><th>Nếu vượt quá</th></tr></thead>
+<tbody>
+<tr><td><strong>requests.cpu</strong></td><td>Scheduling (scheduler dùng để chọn node)</td><td>Throttled (không bị kill)</td></tr>
+<tr><td><strong>limits.cpu</strong></td><td>Cgroups CPU quota</td><td>CPU throttled</td></tr>
+<tr><td><strong>requests.memory</strong></td><td>Scheduling</td><td>OOM Kill nếu vượt limit</td></tr>
+<tr><td><strong>limits.memory</strong></td><td>Cgroups memory limit</td><td>Container bị <strong>OOM Kill</strong></td></tr>
+</tbody>
+</table>
+<pre><code class="language-text">QoS Classes:
+  Guaranteed: requests == limits (best quality, last to be evicted)
+  Burstable:  requests < limits (middle)
+  BestEffort: no requests, no limits (first to be evicted)</code></pre>
+<h2 id="autoscaling">3. Auto-scaling</h2>
+<table>
+<thead><tr><th>Scaler</th><th>Scale gì</th><th>Metric</th></tr></thead>
+<tbody>
+<tr><td><strong>HPA</strong> (Horizontal Pod Autoscaler)</td><td>Số lượng Pod replicas</td><td>CPU%, Memory%, custom metrics</td></tr>
+<tr><td><strong>VPA</strong> (Vertical Pod Autoscaler)</td><td>CPU/Memory requests của Pod</td><td>Actual usage history</td></tr>
+<tr><td><strong>Cluster Autoscaler</strong></td><td>Số lượng nodes trong cluster</td><td>Pending Pods (unschedulable)</td></tr>
+<tr><td><strong>KEDA</strong></td><td>Số replicas (to 0)</td><td>Event-driven (queue depth, Kafka)</td></tr>
+</tbody>
+</table>
+<pre><code class="language-text">HPA integration:
+  metrics-server → kubelet → Node/Pod metrics
+       ↓
+  HPA controller (checks every 15s)
+       ↓
+  Scale up: replicas++  (traffic spike)
+  Scale down: replicas-- (traffic drops, 5 min cooldown)</code></pre>
+<blockquote><p><strong>Exam tip:</strong> HPA cần <strong>metrics-server</strong> để hoạt động. VPA và HPA có thể conflict khi cùng manage một Deployment — không nên dùng cùng lúc trên cùng resource (trừ KEDA với nhiều dimension).</p></blockquote>
+<h2 id="namespaces">4. Namespaces & Multi-tenancy</h2>
+<p><strong>Namespaces</strong> cung cấp virtual cluster isolation: scope RBAC, ResourceQuota, NetworkPolicy, và DNS resolution.</p>
+<table>
+<thead><tr><th>Namespace</th><th>Purpose</th><th>Ghi chú</th></tr></thead>
+<tbody>
+<tr><td><code>default</code></td><td>Objects không chỉ định namespace</td><td>Dùng trong dev, không dùng prod</td></tr>
+<tr><td><code>kube-system</code></td><td>Kubernetes system components</td><td>CoreDNS, kube-proxy, metrics-server</td></tr>
+<tr><td><code>kube-public</code></td><td>Public, readable by all</td><td>Cluster info ConfigMap</td></tr>
+<tr><td><code>kube-node-lease</code></td><td>Node heartbeat leases</td><td>Kubelet heartbeat performance</td></tr>
+</tbody>
+</table>
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Scale số Pod dựa trên CPU?</td><td><strong>HPA</strong></td></tr>
+<tr><td>Scale số Node trong cluster?</td><td><strong>Cluster Autoscaler</strong></td></tr>
+<tr><td>Node dành riêng cho GPU, dùng gì?</td><td><strong>Taint</strong> + Pod <strong>Toleration</strong></td></tr>
+<tr><td>Container bị OOM Kill, do gì?</td><td>Vượt <strong>limits.memory</strong></td></tr>
+<tr><td>QoS class nào bị evict đầu tiên?</td><td><strong>BestEffort</strong></td></tr>
+</tbody>
+</table>
+<h2 id="practice">6. Practice Questions</h2>
+<p><strong>Q1:</strong> A node is tainted with <code>key=gpu:NoSchedule</code>. Which Pods can be scheduled on this node?</p>
+<ul>
+<li>A) Any Pod in the cluster</li>
+<li>B) Pods with matching Toleration for the taint ✓</li>
+<li>C) Pods in the kube-system namespace only</li>
+<li>D) Pods created by cluster administrators only</li>
+</ul>
+<p><em>Explanation: NoSchedule taint prevents any new Pod from being scheduled on the node UNLESS the Pod specifies a matching toleration. Existing Pods are not evicted (use NoExecute for that).</em></p>
+<p><strong>Q2:</strong> An application's Pods keep getting OOM-killed during traffic spikes. What is the most appropriate solution?</p>
+<ul>
+<li>A) Increase Pod CPU requests</li>
+<li>B) Configure HPA to scale based on memory usage ✓</li>
+<li>C) Move the app to a new namespace</li>
+<li>D) Use a StatefulSet instead of Deployment</li>
+</ul>
+<p><em>Explanation: OOM kills mean memory demand exceeds limits. HPA scaling out (more Pod replicas) distributes the load, reducing per-pod memory pressure. Alternatively, increase memory limits or use VPA.</em></p>
+<p><strong>Q3:</strong> Which Kubernetes component provides CPU and memory metrics that HPA uses for scaling decisions?</p>
+<ul>
+<li>A) kube-proxy</li>
+<li>B) kube-scheduler</li>
+<li>C) metrics-server ✓</li>
+<li>D) etcd</li>
+</ul>
+<p><em>Explanation: metrics-server is an optional cluster add-on that collects resource metrics (CPU, memory) from kubelets. The HPA controller queries the metrics API exposed by metrics-server to make scaling decisions.</em></p>