npm - @xdev-asia/xdev-knowledge-mcp - Versions diffs - 1.0.43 → 1.0.45 - Mend

@xdev-asia/xdev-knowledge-mcp 1.0.43 → 1.0.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/content/series/luyen-thi/luyen-thi-ckad/chapters/04-app-environment-config/lessons/06-configmaps-secrets.md ADDED Viewed

@@ -0,0 +1,182 @@
+---
+id: ckad-d4-l06
+title: 'Bài 6: ConfigMaps & Secrets'
+slug: 06-configmaps-secrets
+description: >-
+  Tạo và consume ConfigMaps và Secrets trong Kubernetes. Inject qua env vars
+  (envFrom, valueFrom) và volume mounts. Secret types và security considerations.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 6
+section_title: "Domain 4: Application Environment, Configuration and Security (25%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai6-configmap-secret.png" alt="ConfigMap và Secret injection — envFrom, valueFrom và Volume Mount" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="configmap">1. ConfigMap</h2>
+<p>ConfigMap lưu trữ cặp key-value non-sensitive. Không được mã hóa (plain text).</p>
+<pre><code class="language-text"># Tạo ConfigMap — Imperative
+kubectl create configmap app-config \
+  --from-literal=DB_HOST=mysql \
+  --from-literal=DB_PORT=3306
+kubectl create configmap app-config --from-file=config.properties
+kubectl create configmap app-config --from-env-file=.env
+# Declarative YAML
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: app-config
+data:
+  DB_HOST: mysql
+  DB_PORT: "3306"
+  config.properties: |
+    server.port=8080
+    debug=false</code></pre>
+<h2 id="secret">2. Secret</h2>
+<p>Secret lưu trữ sensitive data. Được <strong>base64 encode</strong> (không phải mã hóa — encode thôi!).</p>
+<pre><code class="language-text"># Tạo Secret — Imperative
+kubectl create secret generic db-secret \
+  --from-literal=username=admin \
+  --from-literal=password=mypassword
+kubectl create secret generic db-secret --from-file=credentials.txt
+# Declarative (base64 encode trước)
+echo -n 'admin' | base64    # YWRtaW4=
+echo -n 'mypassword' | base64  # bXlwYXNzd29yZA==
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-secret
+type: Opaque
+data:
+  username: YWRtaW4=
+  password: bXlwYXNzd29yZA==</code></pre>
+<table>
+<thead><tr><th>Secret Type</th><th>Mục đích</th></tr></thead>
+<tbody>
+<tr><td><code>Opaque</code></td><td>Generic — default type, any key-value data</td></tr>
+<tr><td><code>kubernetes.io/dockerconfigjson</code></td><td>Docker registry credentials</td></tr>
+<tr><td><code>kubernetes.io/tls</code></td><td>TLS certificate và private key</td></tr>
+<tr><td><code>kubernetes.io/service-account-token</code></td><td>ServiceAccount token (auto-created)</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Secret data là <strong>base64 encoded, không encrypted</strong>. Bất kỳ ai có quyền đọc Secret đều có thể decode: <code>echo 'YWRtaW4=' | base64 -d</code>. Để encrypt at rest, phải enable EncryptionConfiguration — nhưng CKAD không test điều này. Exam thường test: tạo secret và inject vào Pod.</p></blockquote>
+<h2 id="inject-env">3. Inject qua Environment Variables</h2>
+<pre><code class="language-text">spec:
+  containers:
+  - name: app
+    image: myapp
+    # Method 1: envFrom — load ALL keys as env vars
+    envFrom:
+    - configMapRef:
+        name: app-config
+    - secretRef:
+        name: db-secret
+    # Method 2: valueFrom — load SPECIFIC key
+    env:
+    - name: DATABASE_HOST
+      valueFrom:
+        configMapKeyRef:
+          name: app-config
+          key: DB_HOST
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: db-secret
+          key: password</code></pre>
+<h2 id="inject-volume">4. Inject qua Volume Mount</h2>
+<pre><code class="language-text">spec:
+  volumes:
+  - name: config-vol
+    configMap:
+      name: app-config
+  - name: secret-vol
+    secret:
+      secretName: db-secret
+  containers:
+  - name: app
+    image: myapp
+    volumeMounts:
+    - name: config-vol
+      mountPath: /etc/config    # Each key becomes a file
+    - name: secret-vol
+      mountPath: /etc/secrets
+      readOnly: true
+  # Result: /etc/config/DB_HOST contains "mysql"
+  #         /etc/secrets/password contains "mypassword" (decoded)</code></pre>
+<table>
+<thead><tr><th>Method</th><th>Khi dùng</th><th>Auto-update khi CM/Secret đổi?</th></tr></thead>
+<tbody>
+<tr><td><code>envFrom</code> / <code>env.valueFrom</code></td><td>App đọc env vars</td><td>Không (cần restart pod)</td></tr>
+<tr><td>Volume mount</td><td>App đọc từ files, hoặc cần auto-reload</td><td>Có (sau ~1-2 phút)</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Volume-mounted ConfigMaps/Secrets tự động update khi nguồn thay đổi (sau kubelet sync period ~1 phút). Env vars phải restart pod mới reflect changes. CKAD thường test cả 2 methods — nắm rõ syntax của <code>configMapKeyRef</code> vs <code>configMapRef</code> (có chữ "Key" thì là single key).</p></blockquote>
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Task</th><th>Command / YAML</th></tr></thead>
+<tbody>
+<tr><td>Tạo CM từ literals</td><td><code>kubectl create cm name --from-literal=k=v</code></td></tr>
+<tr><td>Tạo Secret từ literals</td><td><code>kubectl create secret generic n --from-literal=k=v</code></td></tr>
+<tr><td>Load all CM keys as env</td><td><code>envFrom: - configMapRef: name: ...</code></td></tr>
+<tr><td>Load specific key</td><td><code>env: - valueFrom: configMapKeyRef: ...</code></td></tr>
+<tr><td>Mount as files</td><td><code>volumes: configMap/secret + volumeMounts</code></td></tr>
+</tbody>
+</table>
+<h2 id="practice">6. Practice Questions</h2>
+<p><strong>Q1:</strong> A Pod needs to consume ALL key-value pairs from a ConfigMap named "app-settings" as environment variables. Which configuration is correct?</p>
+<ul>
+<li>A) <code>env: - name: APP_SETTINGS valueFrom: configMapRef: name: app-settings</code></li>
+<li>B) <code>envFrom: - configMapRef: name: app-settings</code> ✓</li>
+<li>C) <code>volumes: - configMap: name: app-settings</code></li>
+<li>D) <code>env: - configMapKeyRef: name: app-settings key: "*"</code></li>
+</ul>
+<p><em>Explanation: envFrom with configMapRef loads ALL keys from the ConfigMap as environment variables. env with valueFrom configMapKeyRef only loads ONE specific key. The wildcard "*" syntax does not exist.</em></p>
+<p><strong>Q2:</strong> You create a Secret with the command: kubectl create secret generic mysecret --from-literal=password=secret123. How is the data stored in etcd?</p>
+<ul>
+<li>A) Plain text: "password=secret123"</li>
+<li>B) AES-256 encrypted</li>
+<li>C) Base64 encoded ✓</li>
+<li>D) SHA-256 hashed</li>
+</ul>
+<p><em>Explanation: By default, Kubernetes stores Secret data as base64 encoded values in etcd — NOT encrypted. Base64 is encoding, not encryption. Anyone with etcd access can decode it. To encrypt at rest, an EncryptionConfiguration must be configured separately.</em></p>
+<p><strong>Q3:</strong> A ConfigMap is updated with new values. A Pod is using this ConfigMap mounted as a volume at /etc/config. What happens?</p>
+<ul>
+<li>A) The Pod fails immediately because the config changed</li>
+<li>B) The files in /etc/config are automatically updated (with a short delay) ✓</li>
+<li>C) Nothing happens — the Pod must be restarted to see changes</li>
+<li>D) The Pod is restarted automatically by Kubernetes</li>
+</ul>
+<p><em>Explanation: Volume-mounted ConfigMaps are automatically updated when the ConfigMap changes, after the kubelet sync period (typically ~1 minute). Environment variables from ConfigMaps do NOT auto-update — the Pod must be recreated. Applications that watch for file changes can react to these updates without restarts.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/chapters/04-app-environment-config/lessons/07-securitycontext-pod-security.md ADDED Viewed

@@ -0,0 +1,168 @@
+---
+id: ckad-d4-l07
+title: 'Bài 7: SecurityContext, Capabilities & ServiceAccounts'
+slug: 07-securitycontext-pod-security
+description: >-
+  SecurityContext cho Pod và Container: runAsUser, runAsNonRoot, readOnlyRootFilesystem,
+  Linux capabilities. ServiceAccount binding và automountServiceAccountToken.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 7
+section_title: "Domain 4: Application Environment, Configuration and Security (25%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai7-security-context.png" alt="SecurityContext — Pod-level vs Container-level, Linux capabilities" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="securitycontext">1. SecurityContext</h2>
+<p>SecurityContext định nghĩa các privilege và access control settings cho Pod hoặc Container.</p>
+<pre><code class="language-text">apiVersion: v1
+kind: Pod
+spec:
+  securityContext:            # Pod-level: applies to ALL containers
+    runAsUser: 1000           # UID để chạy containers
+    runAsGroup: 3000          # GID primary group
+    fsGroup: 2000             # GID cho mounted volumes
+    runAsNonRoot: true        # Reject containers that run as root
+  containers:
+  - name: app
+    image: myapp
+    securityContext:          # Container-level: overrides pod-level
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true   # Filesystem là read-only
+      capabilities:
+        add: ["NET_BIND_SERVICE"]    # Add capability
+        drop: ["ALL"]               # Drop all, add only what needed</code></pre>
+<table>
+<thead><tr><th>Setting</th><th>Level</th><th>Tác dụng</th></tr></thead>
+<tbody>
+<tr><td><code>runAsUser</code></td><td>Pod/Container</td><td>Chạy process với UID cụ thể</td></tr>
+<tr><td><code>runAsNonRoot</code></td><td>Pod/Container</td><td>Từ chối chạy nếu UID = 0 (root)</td></tr>
+<tr><td><code>readOnlyRootFilesystem</code></td><td>Container</td><td>Mount root filesystem read-only</td></tr>
+<tr><td><code>allowPrivilegeEscalation</code></td><td>Container</td><td>Chặn privilege escalation (sudo etc.)</td></tr>
+<tr><td><code>privileged</code></td><td>Container</td><td>Run as privileged (như root trên host)</td></tr>
+<tr><td><code>fsGroup</code></td><td>Pod</td><td>GID cho volume files (shared volume access)</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Container-level <code>securityContext</code> <strong>override</strong> Pod-level settings. Nếu Pod có <code>runAsUser: 1000</code> và container có <code>runAsUser: 2000</code>, container đó chạy với UID 2000. Hay bị test: verify user bằng <code>kubectl exec pod -- id</code> hoặc <code>whoami</code>.</p></blockquote>
+<h2 id="capabilities">2. Linux Capabilities</h2>
+<pre><code class="language-text">Capabilities cho phép grant specific privileges mà không cần full root.
+# Ví dụ thường gặp:
+NET_BIND_SERVICE  — Bind to port < 1024 (e.g., port 80)
+NET_ADMIN         — Network administration (ifconfig etc.)
+SYS_TIME          — Modify system clock
+CHOWN             — Change file ownership
+SETUID/SETGID     — Change user/group ID
+securityContext:
+  capabilities:
+    drop: ["ALL"]             # Best practice: drop all first
+    add: ["NET_BIND_SERVICE"] # Then re-add only what's needed</code></pre>
+<h2 id="serviceaccount">3. ServiceAccounts</h2>
+<p>Pod dùng <strong>ServiceAccount</strong> để authenticate với Kubernetes API.</p>
+<pre><code class="language-text"># Tạo ServiceAccount
+kubectl create serviceaccount my-sa
+# Bind vào Role
+kubectl create rolebinding my-binding \
+  --role=pod-reader \
+  --serviceaccount=default:my-sa
+# Assign SA cho Pod
+spec:
+  serviceAccountName: my-sa     # Use specific SA
+  automountServiceAccountToken: false  # Don't auto-mount SA token
+# Mặc định: default SA được mount tại /var/run/secrets/kubernetes.io/serviceaccount/
+# Token file có thể gọi K8s API từ container</code></pre>
+<table>
+<thead><tr><th>Concept</th><th>Mô tả</th></tr></thead>
+<tbody>
+<tr><td>Default SA</td><td>Mỗi namespace có sẵn <code>default</code> SA (ít quyền)</td></tr>
+<tr><td>Token mount</td><td>Token tự động mount vào pod nếu không tắt</td></tr>
+<tr><td><code>automountServiceAccountToken: false</code></td><td>Tắt việc mount token (best security practice)</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Khi Pod cần gọi Kubernetes API (ví dụ: operator pattern), cần ServiceAccount có quyền phù hợp. Nếu Pod không cần gọi API, best practice là set <code>automountServiceAccountToken: false</code>. CKAD thường test: tạo SA, bind role, và set SA trong Pod spec.</p></blockquote>
+<h2 id="readonly-volume">4. readOnlyRootFilesystem với emptyDir</h2>
+<pre><code class="language-text"># Khi dùng readOnlyRootFilesystem: true, app KHÔNG ghi vào root FS.
+# Nhưng app vẫn cần ghi temp files → dùng emptyDir volume:
+spec:
+  containers:
+  - name: app
+    image: myapp
+    securityContext:
+      readOnlyRootFilesystem: true
+    volumeMounts:
+    - name: tmp
+      mountPath: /tmp        # App ghi temp files vào đây
+    - name: cache
+      mountPath: /app/cache
+  volumes:
+  - name: tmp
+    emptyDir: {}
+  - name: cache
+    emptyDir: {}</code></pre>
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Task</th><th>YAML / Command</th></tr></thead>
+<tbody>
+<tr><td>Run container as non-root</td><td><code>securityContext: runAsNonRoot: true</code></td></tr>
+<tr><td>Run với specific UID</td><td><code>securityContext: runAsUser: 1000</code></td></tr>
+<tr><td>Read-only filesystem</td><td><code>securityContext: readOnlyRootFilesystem: true</code></td></tr>
+<tr><td>Drop all capabilities</td><td><code>capabilities: drop: ["ALL"]</code></td></tr>
+<tr><td>Gán ServiceAccount</td><td><code>spec: serviceAccountName: my-sa</code></td></tr>
+<tr><td>Verify user trong container</td><td><code>kubectl exec pod -- whoami</code></td></tr>
+</tbody>
+</table>
+<h2 id="practice">6. Practice Questions</h2>
+<p><strong>Q1:</strong> A Pod spec has securityContext.runAsUser: 1000 at the Pod level. One container within the Pod has securityContext.runAsUser: 2000. What UID does that container run with?</p>
+<ul>
+<li>A) 0 (root, because Pod-level overrides)</li>
+<li>B) 1000 (Pod-level takes priority)</li>
+<li>C) 2000 (Container-level overrides Pod-level) ✓</li>
+<li>D) Both UIDs simultaneously</li>
+</ul>
+<p><em>Explanation: Container-level securityContext settings override Pod-level settings. The container runs with UID 2000. Other containers in the same Pod without a container-level securityContext.runAsUser would inherit the Pod-level UID of 1000.</em></p>
+<p><strong>Q2:</strong> An application container needs to bind to port 80 (a privileged port below 1024) but should NOT run as root. How do you configure this?</p>
+<ul>
+<li>A) Set securityContext.privileged: true</li>
+<li>B) Set securityContext.runAsUser: 0</li>
+<li>C) Add NET_BIND_SERVICE capability while dropping ALL others ✓</li>
+<li>D) Use a NodePort Service instead of port 80</li>
+</ul>
+<p><em>Explanation: Linux capabilities allow granular privilege grants. NET_BIND_SERVICE allows binding to ports below 1024 without full root. Best practice is to drop ALL capabilities first, then add only what's needed: capabilities: { drop: ["ALL"], add: ["NET_BIND_SERVICE"] }.</em></p>
+<p><strong>Q3:</strong> A Pod is running with readOnlyRootFilesystem: true, but the application tries to write to /tmp and fails. What is the best solution?</p>
+<ul>
+<li>A) Remove readOnlyRootFilesystem: true</li>
+<li>B) Set securityContext.privileged: true</li>
+<li>C) Mount an emptyDir volume at /tmp ✓</li>
+<li>D) Use a ConfigMap mounted at /tmp</li>
+</ul>
+<p><em>Explanation: readOnlyRootFilesystem prevents writes to the container's filesystem, but emptyDir volumes are separate writable mounts. By mounting an emptyDir at /tmp, the application can write temp files there while the root filesystem remains read-only — maintaining the security benefit.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/chapters/04-app-environment-config/lessons/08-resources-qos.md ADDED Viewed

@@ -0,0 +1,168 @@
+---
+id: ckad-d4-l08
+title: 'Bài 8: Resource Requests, Limits & QoS'
+slug: 08-resources-qos
+description: >-
+  Resource requests vs limits (CPU, Memory). QoS classes: Guaranteed, Burstable,
+  BestEffort. LimitRange defaults và ResourceQuota namespace limits.
+duration_minutes: 50
+is_free: true
+video_url: null
+sort_order: 8
+section_title: "Domain 4: Application Environment, Configuration and Security (25%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai8-qos-classes.png" alt="Resource Requests, Limits và QoS Classes — Guaranteed, Burstable, BestEffort" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<h2 id="requests-limits">1. Requests vs Limits</h2>
+<pre><code class="language-text">resources:
+  requests:
+    cpu: "250m"      # 250 millicores = 0.25 CPU (scheduling)
+    memory: "128Mi"  # Minimum guaranteed memory
+  limits:
+    cpu: "500m"      # Max CPU (throttled but not killed)
+    memory: "256Mi"  # Max memory (killed if exceeded → OOMKilled)</code></pre>
+<table>
+<thead><tr><th>Resource</th><th>Khi vượt requests</th><th>Khi vượt limits</th></tr></thead>
+<tbody>
+<tr><td><strong>CPU</strong></td><td>Chạy bình thường (burst)</td><td>Bị throttled (chậm lại, không kill)</td></tr>
+<tr><td><strong>Memory</strong></td><td>Chạy bình thường</td><td>Container bị kill → OOMKilled</td></tr>
+</tbody>
+</table>
+<pre><code class="language-text">CPU units:
+  1 CPU = 1000m (millicores)
+  0.5 CPU = 500m
+  100m = 0.1 CPU
+Memory units:
+  Ki (Kibibyte) = 1024 bytes
+  Mi (Mebibyte) = 1024 Ki
+  Gi (Gibibyte) = 1024 Mi
+  (NOT KB/MB/GB which are decimal)</code></pre>
+<h2 id="qos">2. QoS Classes</h2>
+<pre><code class="language-text">QoS = Quality of Service (kiểm soát eviction priority)
+┌─────────────────────────────────────────────────────────┐
+│  GUARANTEED — Last to evict                             │
+│  ✓ CPU requests == CPU limits                           │
+│  ✓ Memory requests == Memory limits                     │
+│  ✓ ALL containers in pod must satisfy                   │
+├─────────────────────────────────────────────────────────┤
+│  BURSTABLE — Middle priority                            │
+│  ✓ At least one container has requests OR limits        │
+│  ✗ Doesn't meet Guaranteed criteria                     │
+├─────────────────────────────────────────────────────────┤
+│  BESTEFFORT — First to evict                            │
+│  ✗ NO requests, NO limits set at all                    │
+└─────────────────────────────────────────────────────────┘</code></pre>
+<table>
+<thead><tr><th>QoS Class</th><th>Điều kiện</th><th>Eviction priority</th></tr></thead>
+<tbody>
+<tr><td><strong>Guaranteed</strong></td><td>requests == limits cho CPU và Memory (tất cả containers)</td><td>Thấp nhất (last evicted)</td></tr>
+<tr><td><strong>Burstable</strong></td><td>Ít nhất một container có request/limit, không đủ Guaranteed</td><td>Trung bình</td></tr>
+<tr><td><strong>BestEffort</strong></td><td>Không có bất kỳ request/limit nào</td><td>Cao nhất (first evicted)</td></tr>
+</tbody>
+</table>
+<blockquote><p><strong>Exam tip:</strong> Kiểm tra QoS class của pod: <code>kubectl describe pod &lt;name&gt; | grep -i qos</code> hoặc <code>kubectl get pod &lt;name&gt; -o jsonpath='{.status.qosClass}'</code>. Để đạt Guaranteed: set requests = limits cho CẢ CPU lẫn memory, trong CẢ containers (kể cả init containers).</p></blockquote>
+<h2 id="limitrange">3. LimitRange</h2>
+<p>LimitRange đặt default requests/limits cho Pods trong namespace — áp dụng khi Pod không tự set.</p>
+<pre><code class="language-text">apiVersion: v1
+kind: LimitRange
+metadata:
+  name: mem-limit-range
+  namespace: development
+spec:
+  limits:
+  - type: Container
+    default:          # Default limits (khi container không set limits)
+      memory: 512Mi
+      cpu: 500m
+    defaultRequest:   # Default requests (khi container không set requests)
+      memory: 256Mi
+      cpu: 250m
+    max:              # Maximum allowed limits
+      memory: 1Gi
+      cpu: "1"
+    min:              # Minimum required requests
+      memory: 64Mi
+      cpu: 50m</code></pre>
+<h2 id="resourcequota">4. ResourceQuota</h2>
+<pre><code class="language-text">apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: production-quota
+  namespace: production
+spec:
+  hard:
+    # Compute resources
+    requests.cpu: "10"
+    requests.memory: 20Gi
+    limits.cpu: "20"
+    limits.memory: 40Gi
+    # Object counts
+    pods: "50"
+    services: "20"
+    persistentvolumeclaims: "10"
+    secrets: "30"
+    configmaps: "30"</code></pre>
+<blockquote><p><strong>Exam tip:</strong> Nếu namespace có ResourceQuota yêu cầu resource limits, thì <strong>tất cả Pods</strong> trong namespace đó PHẢI set resource requests và limits — hoặc phải có LimitRange cung cấp defaults. Nếu không set, API server sẽ reject Pod creation.</p></blockquote>
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+<table>
+<thead><tr><th>Tình huống</th><th>Giải pháp</th></tr></thead>
+<tbody>
+<tr><td>Container bị OOMKilled</td><td>Tăng <code>limits.memory</code></td></tr>
+<tr><td>Container bị throttled (chậm)</td><td>Tăng <code>limits.cpu</code></td></tr>
+<tr><td>Pod không schedule được</td><td>Giảm <code>requests</code> hoặc scale cluster</td></tr>
+<tr><td>QoS là Guaranteed</td><td><code>requests == limits</code> cho CPU và Memory</td></tr>
+<tr><td>Set default limits cho namespace</td><td><strong>LimitRange</strong></td></tr>
+<tr><td>Giới hạn tổng resource của namespace</td><td><strong>ResourceQuota</strong></td></tr>
+</tbody>
+</table>
+<h2 id="practice">6. Practice Questions</h2>
+<p><strong>Q1:</strong> A container has cpu requests=200m, cpu limits=500m, memory requests=256Mi, memory limits=256Mi. What is the QoS class of this Pod (assuming it's the only container)?</p>
+<ul>
+<li>A) Guaranteed</li>
+<li>B) Burstable ✓</li>
+<li>C) BestEffort</li>
+<li>D) Critical</li>
+</ul>
+<p><em>Explanation: For Guaranteed, all requests must equal limits. Here cpu requests (200m) ≠ cpu limits (500m). Memory requests do equal limits (256Mi). Since the criteria for Guaranteed is not fully met, but resources are set, the class is Burstable.</em></p>
+<p><strong>Q2:</strong> A container's memory usage exceeds its memory limit. What happens?</p>
+<ul>
+<li>A) The container is throttled (slowed down)</li>
+<li>B) The container is terminated and restarted (OOMKilled) ✓</li>
+<li>C) The container is evicted from the node</li>
+<li>D) The Pod is rescheduled to a different node</li>
+</ul>
+<p><em>Explanation: Unlike CPU (which is compressible — throttled but not killed), memory is incompressible. When a container exceeds its memory limit, it receives an OOMKilled exit code and is restarted by the container runtime. Repeated OOMKills lead to CrashLoopBackOff.</em></p>
+<p><strong>Q3:</strong> A namespace has a ResourceQuota requiring limits.memory to be set on all Pods. A new Pod is created without any resource limits. What happens?</p>
+<ul>
+<li>A) The Pod starts with no limits (ResourceQuota applies only to running Pods)</li>
+<li>B) The Pod is rejected by the API server unless a LimitRange provides defaults ✓</li>
+<li>C) The Pod starts with default limits of 512Mi</li>
+<li>D) The ResourceQuota is automatically updated to exclude this Pod</li>
+</ul>
+<p><em>Explanation: When a ResourceQuota exists in a namespace that covers memory limits, ALL Pods must specify memory limits. If no LimitRange provides defaults, the API server rejects the Pod. Solution: either set limits on the Pod, or create a LimitRange with defaultRequest/default values for the namespace.</em></p>