@xdev-asia/xdev-knowledge-mcp 1.0.44 → 1.0.45

package/content/series/luyen-thi/luyen-thi-cka/chapters/05-troubleshooting/lessons/09-etcd-backup-restore.md

@@ -0,0 +1,149 @@
+---
+id: cka-d5-l09
+title: 'Bài 9: etcd Backup & Restore'
+slug: 09-etcd-backup-restore
+description: >-
+  etcd backup với etcdctl snapshot. Restore cluster từ backup. TLS certificates
+  cho etcd. Critical CKA exam task — cần thành thạo hoàn toàn.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 9
+section_title: "Domain 5: Troubleshooting (30%)"
+course:
+  id: lt-cka-series-001
+  title: 'Luyện thi CKA — Certified Kubernetes Administrator'
+  slug: luyen-thi-cka
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-cka-bai9-etcd.png" alt="etcd Backup và Restore Procedure" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="etcd-overview">1. etcd — Tổng quan</h2>
+
+<p><strong>etcd</strong> là distributed key-value store lưu trữ toàn bộ cluster state: Pods, Services, Secrets, ConfigMaps, Nodes. Mất etcd = mất toàn bộ cluster.</p>
+
+<pre><code class="language-text">etcd info từ kube-apiserver manifest:
+  cat /etc/kubernetes/manifests/etcd.yaml
+
+Key paths:
+  --data-dir=/var/lib/etcd          # Data directory
+  --cert-file=/etc/kubernetes/pki/etcd/server.crt
+  --key-file=/etc/kubernetes/pki/etcd/server.key
+  --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
+  --listen-client-urls=https://127.0.0.1:2379</code></pre>
+
+<h2 id="etcdctl-setup">2. etcdctl Setup</h2>
+
+<pre><code class="language-text"># Set API version (always use v3)
+export ETCDCTL_API=3
+
+# Find etcd certs
+ls /etc/kubernetes/pki/etcd/
+# ca.crt, server.crt, server.key, healthcheck-client.*
+
+# Test connection
+etcdctl member list \
+  --endpoints=https://127.0.0.1:2379 \
+  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
+  --cert=/etc/kubernetes/pki/etcd/server.crt \
+  --key=/etc/kubernetes/pki/etcd/server.key</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> Phải set <code>ETCDCTL_API=3</code> trước khi dùng etcdctl. API v2 dùng lệnh khác và không tương thích. Trên exam, nếu quên certs path: <code>cat /etc/kubernetes/manifests/etcd.yaml | grep cert</code> hoặc <code>kubectl describe pod etcd -n kube-system</code>.</p></blockquote>
+
+<h2 id="backup">3. Backup etcd</h2>
+
+<pre><code class="language-text">ETCDCTL_API=3 etcdctl snapshot save /opt/etcd-backup.db \
+  --endpoints=https://127.0.0.1:2379 \
+  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
+  --cert=/etc/kubernetes/pki/etcd/server.crt \
+  --key=/etc/kubernetes/pki/etcd/server.key
+
+# Verify backup
+ETCDCTL_API=3 etcdctl snapshot status /opt/etcd-backup.db \
+  --write-out=table
+
+# Output:
++----------+----------+------------+------------+
+|   HASH   | REVISION | TOTAL KEYS | TOTAL SIZE |
++----------+----------+------------+------------+
+| abcdef12 |    12345 |       1234 |     4.5 MB |
++----------+----------+------------+------------+</code></pre>
+
+<h2 id="restore">4. Restore etcd</h2>
+
+<pre><code class="language-text"># Step 1: Restore to new data directory
+ETCDCTL_API=3 etcdctl snapshot restore /opt/etcd-backup.db \
+  --data-dir=/var/lib/etcd-restore
+
+# Step 2: Update etcd manifest to use new data dir
+vi /etc/kubernetes/manifests/etcd.yaml
+
+# Change --data-dir và hostPath volume:
+spec:
+  containers:
+  - command:
+    - --data-dir=/var/lib/etcd-restore  # Changed
+  volumes:
+  - hostPath:
+      path: /var/lib/etcd-restore       # Changed
+      type: DirectoryOrCreate
+    name: etcd-data
+
+# Step 3: kubelet detects manifest change → restarts etcd
+# Wait for etcd to restart (may take 2-3 min)
+kubectl get pods -n kube-system | grep etcd</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> Sau khi restore, cần đợi toàn bộ control plane restart và sync. Có thể cần restart: <code>systemctl restart kubelet</code>. Nếu API server không lên, xem logs: <code>crictl logs $(crictl ps -a --name kube-apiserver -q)</code>.</p></blockquote>
+
+<h2 id="cheatsheet">5. Cheat Sheet — etcd Backup/Restore</h2>
+
+<pre><code class="language-text"># BACKUP (4 required flags):
+ETCDCTL_API=3 etcdctl snapshot save BACKUP_PATH \
+  --endpoints=https://127.0.0.1:2379 \
+  --cacert=CA_CERT \
+  --cert=SERVER_CERT \
+  --key=SERVER_KEY
+
+# RESTORE (minimal):
+ETCDCTL_API=3 etcdctl snapshot restore BACKUP_PATH \
+  --data-dir=NEW_DATA_DIR
+
+# Then update /etc/kubernetes/manifests/etcd.yaml → data-dir + volume path</code></pre>
+
+<table>
+<thead><tr><th>Cert File</th><th>Path</th><th>Flag</th></tr></thead>
+<tbody>
+<tr><td>CA cert</td><td>/etc/kubernetes/pki/etcd/ca.crt</td><td>--cacert</td></tr>
+<tr><td>Server cert</td><td>/etc/kubernetes/pki/etcd/server.crt</td><td>--cert</td></tr>
+<tr><td>Server key</td><td>/etc/kubernetes/pki/etcd/server.key</td><td>--key</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">6. Practice Questions</h2>
+
+<p><strong>Q1:</strong> You perform an etcd snapshot restore to /var/lib/etcd-new. The cluster does not recover. What step is most likely missing?</p>
+<ul>
+<li>A) You need to re-run kubeadm init</li>
+<li>B) The etcd static Pod manifest data-dir and volume path must be updated to point to the new directory ✓</li>
+<li>C) etctdl restore must be run with --force flag</li>
+<li>D) The kube-apiserver certificate must be rotated</li>
+</ul>
+<p><em>Explanation: After restoring to a new directory, etcd's static Pod manifest (/etc/kubernetes/manifests/etcd.yaml) must be updated: change --data-dir flag AND the hostPath volume path to the new directory. Otherwise, etcd still reads the old (broken) data directory.</em></p>
+
+<p><strong>Q2:</strong> What environment variable must be set to use etcdctl v3 API commands?</p>
+<ul>
+<li>A) ETCD_VERSION=3</li>
+<li>B) ETCDCTL_API=3 ✓</li>
+<li>C) KUBECONFIG=/etc/kubernetes/etcd.conf</li>
+<li>D) ETCD_ENDPOINT=localhost:2379</li>
+</ul>
+<p><em>Explanation: ETCDCTL_API=3 enables v3 API commands (snapshot save, snapshot restore). Without it, etcdctl defaults to v2, which uses different command syntax and is incompatible with etcd v3 clusters (which all Kubernetes clusters use).</em></p>
+
+<p><strong>Q3:</strong> Which of the following contains the TLS certificates required for etcdctl to communicate with the etcd server?</p>
+<ul>
+<li>A) /etc/kubernetes/pki/apiserver*.crt</li>
+<li>B) /etc/kubernetes/pki/etcd/ directory ✓</li>
+<li>C) ~/.kube/config</li>
+<li>D) /var/lib/etcd/certs/</li>
+</ul>
+<p><em>Explanation: etcd certificates are stored in /etc/kubernetes/pki/etcd/. Important files: ca.crt (CA), server.crt and server.key (for etcdctl). These paths are also defined in the etcd static Pod manifest.</em></p>

package/content/series/luyen-thi/luyen-thi-cka/chapters/05-troubleshooting/lessons/10-troubleshooting-nodes.md

@@ -0,0 +1,153 @@
+---
+id: cka-d5-l10
+title: 'Bài 10: Troubleshooting Nodes'
+slug: 10-troubleshooting-nodes
+description: >-
+  Debug node NotReady: kubelet, container runtime, certificates. Node conditions,
+  resource pressure, disk pressure. Systematic troubleshooting approach.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 10
+section_title: "Domain 5: Troubleshooting (30%)"
+course:
+  id: lt-cka-series-001
+  title: 'Luyện thi CKA — Certified Kubernetes Administrator'
+  slug: luyen-thi-cka
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-cka-bai10-node-debug.png" alt="Node Troubleshooting Decision Tree — NotReady debug workflow" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="node-conditions">1. Node Conditions</h2>
+
+<pre><code class="language-text">kubectl describe node node1 | grep -A20 Conditions
+
+Normal state:
+  Type              Status  
+  ----              ------  
+  MemoryPressure    False   ← OK (True = low memory)
+  DiskPressure      False   ← OK (True = low disk)
+  PIDPressure       False   ← OK (True = too many processes)
+  Ready             True    ← Node is healthy
+
+Problem states:
+  Ready             False   → kubelet not working
+  Ready             Unknown → Node unreachable (network issue)</code></pre>
+
+<h2 id="troubleshoot-not-ready">2. Troubleshoot NotReady Node</h2>
+
+<pre><code class="language-text">Systematic approach — run in order:
+
+1. Check node status
+   kubectl get nodes
+   kubectl describe node NODE_NAME | tail -40
+
+2. SSH to node
+   ssh node1
+
+3. Check kubelet service
+   systemctl status kubelet
+   journalctl -u kubelet -n 50 --no-pager
+
+4. Check container runtime
+   systemctl status containerd
+   crictl ps           # List running containers
+   crictl pods         # List pod sandboxes
+
+5. Check certificates (common issue after cluster age)
+   ls /var/lib/kubelet/pki/
+   openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -noout -dates
+
+6. Restart services if needed
+   systemctl restart kubelet
+   systemctl restart containerd</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> Quy trình debug NotReady: <code>kubectl describe node</code> → SSH → <code>systemctl status kubelet</code> → <code>journalctl -u kubelet</code>. Hầu hết lỗi: kubelet stopped, wrong API server address, hoặc certificate expired.</p></blockquote>
+
+<h2 id="common-node-issues">3. Common Node Issues</h2>
+
+<table>
+<thead><tr><th>Symptom</th><th>Nguyên nhân</th><th>Fix</th></tr></thead>
+<tbody>
+<tr><td>Node NotReady</td><td>kubelet crashed</td><td>systemctl restart kubelet</td></tr>
+<tr><td>Node Unknown</td><td>Network partition</td><td>Check node network, firewall</td></tr>
+<tr><td>MemoryPressure: True</td><td>Memory thiếu</td><td>Evict pods, scale node</td></tr>
+<tr><td>DiskPressure: True</td><td>Disk đầy</td><td>Clean /var/log, /tmp, unused images</td></tr>
+<tr><td>Pods stuck Terminating</td><td>Node unreachable</td><td>kubectl delete pod --force --grace-period=0</td></tr>
+</tbody>
+</table>
+
+<h2 id="kubelet-config">4. kubelet Configuration</h2>
+
+<pre><code class="language-text"># kubelet config locations
+/var/lib/kubelet/config.yaml     # Main config
+/etc/kubernetes/kubelet.conf     # kubeconfig (how kubelet connects to API server)
+/var/lib/kubelet/kubeconfig      # Alternative path
+
+# Common kubelet config issues:
+# Wrong apiserver address
+cat /etc/kubernetes/kubelet.conf | grep server
+
+# Wrong cluster DNS
+cat /var/lib/kubelet/config.yaml | grep clusterDNS
+
+# Check kubelet's certificate
+cat /var/lib/kubelet/config.yaml | grep client-certificate</code></pre>
+
+<h2 id="node-cleanup">5. Node Image & Disk Cleanup</h2>
+
+<pre><code class="language-text"># Check disk usage
+df -h
+du -sh /var/log/*
+du -sh /var/lib/containerd
+
+# Clean unused container images
+crictl rmi --prune
+
+# Remove old logs
+find /var/log/pods -mtime +7 -delete
+
+# Check PID pressure
+ps aux | wc -l</code></pre>
+
+<h2 id="cheatsheet">6. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Task</th><th>Command</th></tr></thead>
+<tbody>
+<tr><td>Node health summary</td><td><code>kubectl describe node NAME</code></td></tr>
+<tr><td>Kubelet status</td><td><code>systemctl status kubelet</code></td></tr>
+<tr><td>Kubelet logs</td><td><code>journalctl -u kubelet -n 100</code></td></tr>
+<tr><td>Running containers on node</td><td><code>crictl ps</code></td></tr>
+<tr><td>Force delete stuck pod</td><td><code>kubectl delete pod NAME --force --grace-period=0</code></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">7. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A node shows "Ready: Unknown" status. Which of the following is most likely causing this?</p>
+<ul>
+<li>A) The kubelet process crashed on the node</li>
+<li>B) The node cannot be reached by the control plane (network issue) ✓</li>
+<li>C) All Pods on the node are OOM-killed</li>
+<li>D) The node has insufficient CPU resources</li>
+</ul>
+<p><em>Explanation: Ready: Unknown means the API server hasn't received a heartbeat from the kubelet recently. This typically indicates node is unreachable (network partition, node powered off). Ready: False means kubelet is reachable but reports a problem.</em></p>
+
+<p><strong>Q2:</strong> After SSH-ing to a NotReady node, you run "systemctl status kubelet" and see "Active: failed". What should you check next?</p>
+<ul>
+<li>A) kubectl get pods -n kube-system</li>
+<li>B) journalctl -u kubelet -n 50 to read the error logs ✓</li>
+<li>C) Delete and recreate the node</li>
+<li>D) Run kubeadm reset on the node</li>
+</ul>
+<p><em>Explanation: When kubelet fails, journalctl shows the detailed error: certificate issues, wrong API server URL, missing /var/lib/kubelet/config.yaml, etc. This is always the first diagnostic step after confirming kubelet is down.</em></p>
+
+<p><strong>Q3:</strong> A node is reporting DiskPressure: True. What is the immediate effect on workloads?</p>
+<ul>
+<li>A) All Pods are immediately deleted</li>
+<li>B) The node is marked unschedulable and BestEffort/Burstable Pods are evicted ✓</li>
+<li>C) Only new Pod scheduling is prevented</li>
+<li>D) The kubelet service stops</li>
+</ul>
+<p><em>Explanation: Under disk pressure, Kubernetes triggers pod eviction starting with BestEffort (no requests/limits), then Burstable. Guaranteed Pods are last to be evicted. The node is also tainted to prevent new scheduling.</em></p>

package/content/series/luyen-thi/luyen-thi-cka/chapters/05-troubleshooting/lessons/11-troubleshooting-workloads.md

@@ -0,0 +1,146 @@
+---
+id: cka-d5-l11
+title: 'Bài 11: Troubleshooting Workloads'
+slug: 11-troubleshooting-workloads
+description: >-
+  Debug Pods: CrashLoopBackOff, ImagePullBackOff, Pending. Troubleshoot
+  Deployments và Services. Systematic kubectl debugging workflow.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 11
+section_title: "Domain 5: Troubleshooting (30%)"
+course:
+  id: lt-cka-series-001
+  title: 'Luyện thi CKA — Certified Kubernetes Administrator'
+  slug: luyen-thi-cka
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-cka-bai11-workload-debug.png" alt="Pod Troubleshooting Workflow — CrashLoopBackOff, ImagePullBackOff, OOMKilled" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="pod-debug-workflow">1. Pod Debug Workflow</h2>
+
+<pre><code class="language-text">Systematic Pod Troubleshooting:
+  
+  kubectl get pod POD_NAME
+     │
+     ├── Pending → Node issues or PVC not bound
+     ├── Running but not working → Check logs, exec
+     ├── CrashLoopBackOff → App crashing
+     ├── ImagePullBackOff → Image or registry issue
+     └── Error → Start/init failure
+  
+  For any issue → next step:
+  kubectl describe pod POD_NAME
+  (read Events section at bottom!)
+  
+  For logs:
+  kubectl logs POD_NAME
+  kubectl logs POD_NAME --previous  (after crash)
+  kubectl logs POD_NAME -c CONTAINER  (multi-container)</code></pre>
+
+<h2 id="pod-issues">2. Common Pod Issues</h2>
+
+<table>
+<thead><tr><th>State</th><th>Nguyên nhân</th><th>Debug</th></tr></thead>
+<tbody>
+<tr><td><strong>Pending</strong></td><td>Không schedule được</td><td>describe pod → Events: Insufficient CPU/memory hoặc No nodes match affinity</td></tr>
+<tr><td><strong>ImagePullBackOff</strong></td><td>Image không tồn tại / registry auth</td><td>Check image name typo, imagePullSecrets</td></tr>
+<tr><td><strong>CrashLoopBackOff</strong></td><td>App crash liên tục</td><td>kubectl logs --previous, check app exit code</td></tr>
+<tr><td><strong>OOMKilled</strong></td><td>Vượt memory limit</td><td>kubectl describe pod → Container Reason: OOMKilled</td></tr>
+<tr><td><strong>CreateContainerError</strong></td><td>Volume mount, ConfigMap, Secret không tồn tại</td><td>describe pod Events</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> <code>kubectl describe pod</code> Events section là nơi quan trọng nhất để debug. CKA tasks thường yêu cầu bạn fix một broken pod — thường là typo trong image name, sai ConfigMap name, hoặc Port conflict.</p></blockquote>
+
+<h2 id="exec-debug">3. Exec & Debug</h2>
+
+<pre><code class="language-text"># Exec into running container
+kubectl exec -it POD_NAME -- /bin/sh
+kubectl exec -it POD_NAME -c CONTAINER_NAME -- bash
+
+# Debug with ephemeral container (v1.23+)
+kubectl debug -it POD_NAME --image=busybox --target=app
+
+# Copy files from/to pod
+kubectl cp POD_NAME:/var/log/app.log ./app.log
+kubectl cp ./config.yaml POD_NAME:/tmp/config.yaml
+
+# Port-forward for quick testing
+kubectl port-forward pod/POD_NAME 8080:80
+kubectl port-forward svc/SERVICE_NAME 8080:80</code></pre>
+
+<h2 id="deployment-debug">4. Deployment Issues</h2>
+
+<pre><code class="language-text"># Check deployment status
+kubectl rollout status deployment/myapp
+kubectl get replicaset -l app=myapp  # Check RS history
+
+# Pod template issue: deployment creates RS but pods fail
+kubectl describe replicaset RS_NAME  # Check pod template errors
+
+# Deployment stuck in progress?
+kubectl describe deployment myapp | grep -A5 Conditions
+
+# Check events at deployment level
+kubectl get events --field-selector involvedObject.name=myapp --sort-by='.lastTimestamp'</code></pre>
+
+<h2 id="service-debug">5. Service Connectivity Debug</h2>
+
+<pre><code class="language-text">Debug service connectivity:
+
+1. Check endpoints
+   kubectl get endpoints SERVICE_NAME
+   → Empty: selector mismatch
+
+2. Test from within cluster
+   kubectl run test --image=busybox --rm -it -- wget -O- http://SERVICE_NAME:PORT
+
+3. Check kube-proxy
+   kubectl get pods -n kube-system -l k8s-app=kube-proxy
+
+4. Check iptables (on node)
+   iptables -t nat -L KUBE-SERVICES | grep SERVICE_NAME</code></pre>
+
+<h2 id="cheatsheet">6. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Task</th><th>Command</th></tr></thead>
+<tbody>
+<tr><td>Previous container logs</td><td><code>kubectl logs POD --previous</code></td></tr>
+<tr><td>All events in namespace</td><td><code>kubectl get events --sort-by='.lastTimestamp'</code></td></tr>
+<tr><td>Quick connectivity test</td><td><code>kubectl run test --image=busybox --rm -it -- wget -qO- URL</code></td></tr>
+<tr><td>Check pod exit code</td><td><code>kubectl describe pod | grep Exit Code</code></td></tr>
+<tr><td>Multi-container logs</td><td><code>kubectl logs POD -c CONTAINER</code></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">7. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A Pod is in CrashLoopBackOff. The application log shows "Error: failed to connect to database at localhost:5432". What is the issue?</p>
+<ul>
+<li>A) The database Service is misconfigured</li>
+<li>B) The app uses localhost to reach the database, but sidecar containers don't have a database running ✓</li>
+<li>C) The Pod lacks sufficient memory</li>
+<li>D) The database password in the Secret is incorrect</li>
+</ul>
+<p><em>Explanation: Pods share a network namespace, so "localhost" within a Pod only reaches other containers in the SAME Pod. If the database is in a separate Pod, the app should use the Service DNS name (e.g., pg-service.namespace.svc.cluster.local), not localhost.</em></p>
+
+<p><strong>Q2:</strong> A Deployment's Pods are stuck in ImagePullBackOff. The image name is "mycompany/private-app:1.2". What should you verify first?</p>
+<ul>
+<li>A) The image exists on Docker Hub with exact tag</li>
+<li>B) The Deployment has an imagePullSecrets referencing registry credentials ✓</li>
+<li>C) The node has enough disk space</li>
+<li>D) The Service is correctly configured</li>
+</ul>
+<p><em>Explanation: Private registries require authentication. The Pod must have an imagePullSecrets field referencing a Secret with registry credentials (type: kubernetes.io/dockerconfigjson). Also verify the image name and tag are correct.</em></p>
+
+<p><strong>Q3:</strong> You run "kubectl get endpoints myservice" and the result shows "&lt;none&gt;". What is the most likely problem?</p>
+<ul>
+<li>A) The Service port is wrong</li>
+<li>B) No Pods with labels matching the Service selector are in Ready state ✓</li>
+<li>C) The Ingress is misconfigured</li>
+<li>D) kube-proxy is not running</li>
+</ul>
+<p><em>Explanation: Endpoints are populated when Pods match the Service selector AND are Ready. Common causes: label mismatch (typo in selector); all Pods are Pending/CrashLooping so not Ready; wrong namespace. Check: kubectl get pods -l APP=LABEL --show-labels.</em></p>

package/content/series/luyen-thi/luyen-thi-cka/chapters/05-troubleshooting/lessons/12-troubleshooting-networking-exam.md

@@ -0,0 +1,170 @@
+---
+id: cka-d5-l12
+title: 'Bài 12: Troubleshooting Networking & Exam Strategy'
+slug: 12-troubleshooting-networking-exam
+description: >-
+  Debug network connectivity. DNS issues, Service không reach được. Cluster
+  networking flow. CKA exam tips, time management và command shortcuts.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 12
+section_title: "Domain 5: Troubleshooting (30%)"
+course:
+  id: lt-cka-series-001
+  title: 'Luyện thi CKA — Certified Kubernetes Administrator'
+  slug: luyen-thi-cka
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-cka-bai12-network-debug.png" alt="Network Troubleshooting Layers — Layer-by-layer debug approach" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="network-debug">1. Network Troubleshooting Workflow</h2>
+
+<pre><code class="language-text">Network connectivity issue:
+  Pod A cannot reach Pod B (or Service)
+  
+  Layer-by-layer debug:
+  
+  1. Same node, same namespace?
+     kubectl exec pod-a -- ping POD_B_IP
+
+  2. Different node?
+     kubectl get pod pod-a pod-b -o wide  # Check node placement
+
+  3. Via Service name (DNS)?
+     kubectl exec pod-a -- nslookup my-service
+     kubectl exec pod-a -- wget -qO- http://my-service:8080
+
+  4. NetworkPolicy blocking?
+     kubectl get networkpolicy -n NAMESPACE
+
+  5. kube-proxy working?
+     kubectl get pods -n kube-system -l k8s-app=kube-proxy</code></pre>
+
+<h2 id="network-flow">2. Full Network Flow Diagram</h2>
+
+<pre><code class="language-text">Client Pod ──(routes to)──► Service ClusterIP (iptables/ipvs)
+                                │
+                            kube-proxy routes to one of:
+                           Pod IP 1 | Pod IP 2 | Pod IP 3
+                                │
+                          CNI (Calico/Flannel) routes to
+                          correct node if cross-node
+                                │
+                          Container receives on containerPort</code></pre>
+
+<table>
+<thead><tr><th>Component Fails</th><th>Symptom</th><th>Fix</th></tr></thead>
+<tbody>
+<tr><td>CoreDNS</td><td>DNS resolution fails</td><td>Restart CoreDNS pods</td></tr>
+<tr><td>kube-proxy</td><td>Service IPs unreachable</td><td>Restart kube-proxy DaemonSet</td></tr>
+<tr><td>CNI plugin</td><td>Cross-node pod comms fail</td><td>Reinstall CNI or check CNI pods</td></tr>
+<tr><td>NetworkPolicy</td><td>Specific traffic blocked</td><td>Review/delete blocking policies</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Khi debug networking, bắt đầu từ trong Pod (IP reachable?) → Service (DNS + Endpoints?) → Node (CNI routing?) → NetworkPolicy. Đừng nhảy thẳng vào kube-proxy nếu chưa test DNS.</p></blockquote>
+
+<h2 id="exam-strategy">3. CKA Exam Strategy</h2>
+
+<table>
+<thead><tr><th>Tip</th><th>Chi tiết</th></tr></thead>
+<tbody>
+<tr><td><strong>Switch context ngay</strong></td><td>Mỗi câu chỉ định cluster → <code>kubectl config use-context CLUSTER</code></td></tr>
+<tr><td><strong>Use --dry-run</strong></td><td><code>kubectl create deploy --dry-run=client -o yaml &gt; file.yaml</code> để gen YAML</td></tr>
+<tr><td><strong>Use explain</strong></td><td><code>kubectl explain pod.spec.containers.resources</code> cho field help</td></tr>
+<tr><td><strong>Bookmark fast</strong></td><td>Dùng Kubernetes docs search khi cần YAML template</td></tr>
+<tr><td><strong>Skip hard tasks</strong></td><td>Mark và return, dễ trước (30% troubleshooting = most marks)</td></tr>
+<tr><td><strong>Verify sau khi làm</strong></td><td><code>kubectl get/describe</code> để xác nhận changes worked</td></tr>
+</tbody>
+</table>
+
+<h2 id="kubectl-shortcuts">4. Essential kubectl Shortcuts</h2>
+
+<pre><code class="language-text"># Aliases để tiết kiệm thời jan
+alias k=kubectl
+alias kgp='kubectl get pods'
+alias kgs='kubectl get svc'
+alias kns='kubectl config set-context --current --namespace'
+
+# Resource short names
+po  = pods
+svc = services
+deploy = deployments
+ns  = namespaces
+cm  = configmaps
+pvc = persistentvolumeclaims
+pv  = persistentvolumes
+rs  = replicasets
+sa  = serviceaccounts
+no  = nodes
+
+# Most-used flags
+-n NAMESPACE    --namespace
+-o wide         wider output (IP, Node)
+-o yaml         full YAML output
+-o jsonpath     extract specific field
+--all-namespaces / -A   search all namespaces</code></pre>
+
+<h2 id="exam-commands">5. Must-Know Commands for CKA</h2>
+
+<pre><code class="language-text"># Generate YAML with dry-run
+kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
+kubectl create deployment myapp --image=myapp --replicas=3 --dry-run=client -o yaml
+
+# Extract field
+kubectl get node NODENAME -o jsonpath='{.status.capacity.cpu}'
+kubectl get pod PODNAME -o jsonpath='{.status.podIP}'
+
+# Sort by field
+kubectl get events --sort-by='.lastTimestamp'
+kubectl get pods --sort-by='.status.startTime'
+
+# Watch resources
+kubectl get pods -w
+
+# All namespaces
+kubectl get pods -A
+kubectl get pods -A | grep CrashLoop</code></pre>
+
+<h2 id="cheatsheet">6. CKA Quick Reference</h2>
+
+<table>
+<thead><tr><th>Domain (Weight)</th><th>Key Topics</th></tr></thead>
+<tbody>
+<tr><td>Cluster Architecture (25%)</td><td>kubeadm, static pods, kubeconfig, RBAC</td></tr>
+<tr><td>Workloads (15%)</td><td>Deployments, rollout, DaemonSet, StatefulSet, scheduling</td></tr>
+<tr><td>Services & Networking (20%)</td><td>Services, Ingress, NetworkPolicy, DNS</td></tr>
+<tr><td>Storage (10%)</td><td>PV, PVC, StorageClass, volume mounts</td></tr>
+<tr><td><strong>Troubleshooting (30%)</strong></td><td>Node, workload, network debug — HIGHEST WEIGHT</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">7. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A Pod successfully pings another Pod's IP but cannot reach it via Service name. DNS resolution fails. CoreDNS Pods are running. What should you check?</p>
+<ul>
+<li>A) kube-proxy configuration</li>
+<li>B) The Pod's /etc/resolv.conf nameserver entry ✓</li>
+<li>C) The node's iptables rules</li>
+<li>D) The Service's targetPort</li>
+</ul>
+<p><em>Explanation: If IP works but DNS doesn't, the Pod isn't using the CoreDNS server. Check /etc/resolv.conf inside the Pod — it should show the kube-dns ClusterIP as nameserver. If not, the Pod's dnsPolicy or dnsConfig may be overriding the default.</em></p>
+
+<p><strong>Q2:</strong> During the CKA exam, the first thing you always do when starting a new question is:</p>
+<ul>
+<li>A) Read Kubernetes documentation for the topic</li>
+<li>B) Switch to the correct cluster context using kubectl config use-context ✓</li>
+<li>C) Create a backup of the current cluster state</li>
+<li>D) Check existing resources in the cluster</li>
+</ul>
+<p><em>Explanation: CKA uses multiple clusters. Each question specifies a cluster. Always switch context first — working on the wrong cluster will fail the task even if executed perfectly. This is the #1 exam mistake.</em></p>
+
+<p><strong>Q3:</strong> You need to expose a Deployment "webapp" on port 80 to external traffic using a NodePort Service. Which is the fastest approach?</p>
+<ul>
+<li>A) Write a Service YAML and kubectl apply it</li>
+<li>B) kubectl expose deployment webapp --type=NodePort --port=80 ✓</li>
+<li>C) kubectl create service nodeport webapp --tcp=80:80</li>
+<li>D) Edit the Deployment YAML to add a hostPort</li>
+</ul>
+<p><em>Explanation: kubectl expose is the fastest — it creates a Service targeting the Deployment's Pods using the same selector. It requires no YAML editing. Option C works but doesn't use the Deployment's existing selector.</em></p>

package/content/series/luyen-thi/luyen-thi-cka/index.md

@@ -8,7 +8,7 @@ description: >-
   Services & Networking (20%), Workloads & Scheduling (15%), Storage (10%).
   12 bài học kèm bài tập thực hành terminal.
 
-featured_image: null
+featured_image: images/blog/luyen-thi-cka-banner.png
 level: intermediate
 duration_hours: 35
 lesson_count: 12