@xdev-asia/xdev-knowledge-mcp 1.0.44 → 1.0.45

package/content/series/luyen-thi/luyen-thi-ckad/chapters/04-app-environment-config/lessons/08-resources-qos.md

@@ -0,0 +1,168 @@
+---
+id: ckad-d4-l08
+title: 'Bài 8: Resource Requests, Limits & QoS'
+slug: 08-resources-qos
+description: >-
+  Resource requests vs limits (CPU, Memory). QoS classes: Guaranteed, Burstable,
+  BestEffort. LimitRange defaults và ResourceQuota namespace limits.
+duration_minutes: 50
+is_free: true
+video_url: null
+sort_order: 8
+section_title: "Domain 4: Application Environment, Configuration and Security (25%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai8-qos-classes.png" alt="Resource Requests, Limits và QoS Classes — Guaranteed, Burstable, BestEffort" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="requests-limits">1. Requests vs Limits</h2>
+
+<pre><code class="language-text">resources:
+  requests:
+    cpu: "250m"      # 250 millicores = 0.25 CPU (scheduling)
+    memory: "128Mi"  # Minimum guaranteed memory
+  limits:
+    cpu: "500m"      # Max CPU (throttled but not killed)
+    memory: "256Mi"  # Max memory (killed if exceeded → OOMKilled)</code></pre>
+
+<table>
+<thead><tr><th>Resource</th><th>Khi vượt requests</th><th>Khi vượt limits</th></tr></thead>
+<tbody>
+<tr><td><strong>CPU</strong></td><td>Chạy bình thường (burst)</td><td>Bị throttled (chậm lại, không kill)</td></tr>
+<tr><td><strong>Memory</strong></td><td>Chạy bình thường</td><td>Container bị kill → OOMKilled</td></tr>
+</tbody>
+</table>
+
+<pre><code class="language-text">CPU units:
+  1 CPU = 1000m (millicores)
+  0.5 CPU = 500m
+  100m = 0.1 CPU
+
+Memory units:
+  Ki (Kibibyte) = 1024 bytes
+  Mi (Mebibyte) = 1024 Ki
+  Gi (Gibibyte) = 1024 Mi
+  (NOT KB/MB/GB which are decimal)</code></pre>
+
+<h2 id="qos">2. QoS Classes</h2>
+
+<pre><code class="language-text">QoS = Quality of Service (kiểm soát eviction priority)
+
+┌─────────────────────────────────────────────────────────┐
+│  GUARANTEED — Last to evict                             │
+│  ✓ CPU requests == CPU limits                           │
+│  ✓ Memory requests == Memory limits                     │
+│  ✓ ALL containers in pod must satisfy                   │
+├─────────────────────────────────────────────────────────┤
+│  BURSTABLE — Middle priority                            │
+│  ✓ At least one container has requests OR limits        │
+│  ✗ Doesn't meet Guaranteed criteria                     │
+├─────────────────────────────────────────────────────────┤
+│  BESTEFFORT — First to evict                            │
+│  ✗ NO requests, NO limits set at all                    │
+└─────────────────────────────────────────────────────────┘</code></pre>
+
+<table>
+<thead><tr><th>QoS Class</th><th>Điều kiện</th><th>Eviction priority</th></tr></thead>
+<tbody>
+<tr><td><strong>Guaranteed</strong></td><td>requests == limits cho CPU và Memory (tất cả containers)</td><td>Thấp nhất (last evicted)</td></tr>
+<tr><td><strong>Burstable</strong></td><td>Ít nhất một container có request/limit, không đủ Guaranteed</td><td>Trung bình</td></tr>
+<tr><td><strong>BestEffort</strong></td><td>Không có bất kỳ request/limit nào</td><td>Cao nhất (first evicted)</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Kiểm tra QoS class của pod: <code>kubectl describe pod &lt;name&gt; | grep -i qos</code> hoặc <code>kubectl get pod &lt;name&gt; -o jsonpath='{.status.qosClass}'</code>. Để đạt Guaranteed: set requests = limits cho CẢ CPU lẫn memory, trong CẢ containers (kể cả init containers).</p></blockquote>
+
+<h2 id="limitrange">3. LimitRange</h2>
+
+<p>LimitRange đặt default requests/limits cho Pods trong namespace — áp dụng khi Pod không tự set.</p>
+
+<pre><code class="language-text">apiVersion: v1
+kind: LimitRange
+metadata:
+  name: mem-limit-range
+  namespace: development
+spec:
+  limits:
+  - type: Container
+    default:          # Default limits (khi container không set limits)
+      memory: 512Mi
+      cpu: 500m
+    defaultRequest:   # Default requests (khi container không set requests)
+      memory: 256Mi
+      cpu: 250m
+    max:              # Maximum allowed limits
+      memory: 1Gi
+      cpu: "1"
+    min:              # Minimum required requests
+      memory: 64Mi
+      cpu: 50m</code></pre>
+
+<h2 id="resourcequota">4. ResourceQuota</h2>
+
+<pre><code class="language-text">apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: production-quota
+  namespace: production
+spec:
+  hard:
+    # Compute resources
+    requests.cpu: "10"
+    requests.memory: 20Gi
+    limits.cpu: "20"
+    limits.memory: 40Gi
+    # Object counts
+    pods: "50"
+    services: "20"
+    persistentvolumeclaims: "10"
+    secrets: "30"
+    configmaps: "30"</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> Nếu namespace có ResourceQuota yêu cầu resource limits, thì <strong>tất cả Pods</strong> trong namespace đó PHẢI set resource requests và limits — hoặc phải có LimitRange cung cấp defaults. Nếu không set, API server sẽ reject Pod creation.</p></blockquote>
+
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Tình huống</th><th>Giải pháp</th></tr></thead>
+<tbody>
+<tr><td>Container bị OOMKilled</td><td>Tăng <code>limits.memory</code></td></tr>
+<tr><td>Container bị throttled (chậm)</td><td>Tăng <code>limits.cpu</code></td></tr>
+<tr><td>Pod không schedule được</td><td>Giảm <code>requests</code> hoặc scale cluster</td></tr>
+<tr><td>QoS là Guaranteed</td><td><code>requests == limits</code> cho CPU và Memory</td></tr>
+<tr><td>Set default limits cho namespace</td><td><strong>LimitRange</strong></td></tr>
+<tr><td>Giới hạn tổng resource của namespace</td><td><strong>ResourceQuota</strong></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">6. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A container has cpu requests=200m, cpu limits=500m, memory requests=256Mi, memory limits=256Mi. What is the QoS class of this Pod (assuming it's the only container)?</p>
+<ul>
+<li>A) Guaranteed</li>
+<li>B) Burstable ✓</li>
+<li>C) BestEffort</li>
+<li>D) Critical</li>
+</ul>
+<p><em>Explanation: For Guaranteed, all requests must equal limits. Here cpu requests (200m) ≠ cpu limits (500m). Memory requests do equal limits (256Mi). Since the criteria for Guaranteed is not fully met, but resources are set, the class is Burstable.</em></p>
+
+<p><strong>Q2:</strong> A container's memory usage exceeds its memory limit. What happens?</p>
+<ul>
+<li>A) The container is throttled (slowed down)</li>
+<li>B) The container is terminated and restarted (OOMKilled) ✓</li>
+<li>C) The container is evicted from the node</li>
+<li>D) The Pod is rescheduled to a different node</li>
+</ul>
+<p><em>Explanation: Unlike CPU (which is compressible — throttled but not killed), memory is incompressible. When a container exceeds its memory limit, it receives an OOMKilled exit code and is restarted by the container runtime. Repeated OOMKills lead to CrashLoopBackOff.</em></p>
+
+<p><strong>Q3:</strong> A namespace has a ResourceQuota requiring limits.memory to be set on all Pods. A new Pod is created without any resource limits. What happens?</p>
+<ul>
+<li>A) The Pod starts with no limits (ResourceQuota applies only to running Pods)</li>
+<li>B) The Pod is rejected by the API server unless a LimitRange provides defaults ✓</li>
+<li>C) The Pod starts with default limits of 512Mi</li>
+<li>D) The ResourceQuota is automatically updated to exclude this Pod</li>
+</ul>
+<p><em>Explanation: When a ResourceQuota exists in a namespace that covers memory limits, ALL Pods must specify memory limits. If no LimitRange provides defaults, the API server rejects the Pod. Solution: either set limits on the Pod, or create a LimitRange with defaultRequest/default values for the namespace.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/chapters/05-services-networking/lessons/09-services-ingress.md

@@ -0,0 +1,182 @@
+---
+id: ckad-d5-l09
+title: 'Bài 9: Services & Ingress'
+slug: 09-services-ingress
+description: >-
+  Service types: ClusterIP, NodePort, LoadBalancer, ExternalName. kubectl expose.
+  Ingress resources, IngressClass, TLS termination và path-based routing.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 9
+section_title: "Domain 5: Services and Networking (20%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai9-services-ingress.png" alt="Service Types và Ingress Routing — ClusterIP, NodePort, LoadBalancer" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="service-types">1. Service Types</h2>
+
+<table>
+<thead><tr><th>Type</th><th>Access</th><th>Dùng khi nào</th></tr></thead>
+<tbody>
+<tr><td><strong>ClusterIP</strong></td><td>Internal only (cluster DNS)</td><td>Service-to-service communication (default)</td></tr>
+<tr><td><strong>NodePort</strong></td><td>NodeIP:30000-32767</td><td>Dev/test external access</td></tr>
+<tr><td><strong>LoadBalancer</strong></td><td>Cloud LB external IP</td><td>Production external access (cloud)</td></tr>
+<tr><td><strong>ExternalName</strong></td><td>CNAME DNS alias</td><td>Route to external DNS name</td></tr>
+</tbody>
+</table>
+
+<pre><code class="language-text">ClusterIP (default):
+apiVersion: v1
+kind: Service
+metadata:
+  name: myapp-svc
+spec:
+  type: ClusterIP     # Can omit — default
+  selector:
+    app: myapp
+  ports:
+  - port: 80          # Service port (what clients connect to)
+    targetPort: 8080  # Container port (where app listens)
+
+NodePort:
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    nodePort: 30080   # Optional: 30000-32767 range (auto-assigned if omitted)</code></pre>
+
+<h2 id="kubectl-expose">2. kubectl expose</h2>
+
+<pre><code class="language-text"># Expose Deployment as ClusterIP (default)
+kubectl expose deployment myapp --port=80 --target-port=8080
+
+# Expose as NodePort
+kubectl expose deployment myapp --port=80 --target-port=8080 --type=NodePort
+
+# Expose a Pod
+kubectl expose pod mypod --port=80 --name=mypod-svc
+
+# Expose existing service quickly and redirect traffic
+kubectl run nginx --image=nginx --port=80 --expose
+# This creates both the Pod AND the ClusterIP Service</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> <code>kubectl expose</code> cần selector match với Pod labels. Nếu Deployment đang dùng <code>app: myapp</code>, Service selector phải là <code>app: myapp</code>. Flag <code>--expose</code> khi dùng với <code>kubectl run</code> tạo cả Pod lẫn Service cùng lúc — rất nhanh trong exam.</p></blockquote>
+
+<h2 id="ingress">3. Ingress</h2>
+
+<p>Ingress là L7 HTTP/HTTPS routing — một điểm vào, route đến nhiều Services dựa trên host/path.</p>
+
+<pre><code class="language-text">                     ┌─────────────────────────────────┐
+Internet ──────────►│   Ingress Controller (nginx)     │
+                     │                                  │
+                     │  /api  ──────────► api-service   │
+                     │  /web  ──────────► web-service   │
+                     │  blog.example.com → blog-service │
+                     └─────────────────────────────────┘</code></pre>
+
+<pre><code class="language-text">apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: myapp-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  ingressClassName: nginx       # Which IngressClass to use
+  tls:
+  - hosts:
+    - myapp.example.com
+    secretName: myapp-tls       # TLS cert stored as Secret
+  rules:
+  - host: myapp.example.com
+    http:
+      paths:
+      - path: /api
+        pathType: Prefix        # Prefix or Exact
+        backend:
+          service:
+            name: api-service
+            port:
+              number: 80
+      - path: /web
+        pathType: Prefix
+        backend:
+          service:
+            name: web-service
+            port:
+              number: 80</code></pre>
+
+<table>
+<thead><tr><th>pathType</th><th>Hành vi</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td><strong>Exact</strong></td><td>Match chính xác path</td><td><code>/api</code> chỉ match <code>/api</code></td></tr>
+<tr><td><strong>Prefix</strong></td><td>Match path prefix</td><td><code>/api</code> match <code>/api</code>, <code>/api/v1</code>, <code>/api/users</code></td></tr>
+<tr><td><strong>ImplementationSpecific</strong></td><td>Tùy IngressClass</td><td>Depends on controller</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Ingress cần <strong>Ingress Controller</strong> (như nginx, traefik) mới hoạt động — Ingress resource chỉ là config. IngressClass chỉ định controller nào xử lý. Trong exam, IngressClass thường đã được setup sẵn. Nhớ check <code>kubectl get ingressclass</code> để biết tên.</p></blockquote>
+
+<h2 id="debug-service">4. Debug Service Connectivity</h2>
+
+<pre><code class="language-text"># Check service exists và endpoints
+kubectl get services
+kubectl get endpoints myapp-svc
+
+# Test connectivity từ trong cluster (create temp pod)
+kubectl run test --image=busybox --rm -it -- wget -qO- http://myapp-svc
+kubectl run test --image=curlimages/curl --rm -it -- curl http://myapp-svc:80
+
+# Check if selector matches pods
+kubectl get pods -l app=myapp  # Should match service selector
+kubectl describe service myapp-svc  # Shows Endpoints section
+
+# If Endpoints is empty: selector mismatch!
+# Check: kubectl get pods --show-labels</code></pre>
+
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Task</th><th>Command</th></tr></thead>
+<tbody>
+<tr><td>Expose Deployment</td><td><code>kubectl expose deploy/app --port=80 --type=NodePort</code></td></tr>
+<tr><td>Create Pod + Service</td><td><code>kubectl run nginx --image=nginx --port=80 --expose</code></td></tr>
+<tr><td>Check service endpoints</td><td><code>kubectl get endpoints svc-name</code></td></tr>
+<tr><td>Test service từ trong cluster</td><td><code>kubectl run tmp --image=busybox --rm -it -- wget -O- http://svc</code></td></tr>
+<tr><td>Ingress với TLS</td><td>tls: secretName + hosts trong rules</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">6. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A Deployment named "webapp" with selector app=webapp runs on port 8080. You need to create a Service that makes it accessible within the cluster on port 80. Which command creates this correctly?</p>
+<ul>
+<li>A) <code>kubectl expose deployment webapp --port=8080</code></li>
+<li>B) <code>kubectl expose deployment webapp --port=80 --target-port=8080</code> ✓</li>
+<li>C) <code>kubectl create service clusterip webapp --port=8080:80</code></li>
+<li>D) <code>kubectl expose deployment webapp --type=ClusterIP --port=80</code></li>
+</ul>
+<p><em>Explanation: --port=80 is the Service port (what clients use), --target-port=8080 is the container port (where the app listens). Without --target-port, Kubernetes assumes target-port equals port. Option D would work but uses same port 80 for both.</em></p>
+
+<p><strong>Q2:</strong> An Ingress resource exists but traffic doesn't reach the backend Services. kubectl get endpoints shows the correct Pod IPs. What is the most likely cause?</p>
+<ul>
+<li>A) The Service type should be LoadBalancer instead of ClusterIP</li>
+<li>B) No Ingress Controller is installed or the ingressClassName is wrong ✓</li>
+<li>C) The Ingress needs TLS configured</li>
+<li>D) The pathType should be Exact instead of Prefix</li>
+</ul>
+<p><em>Explanation: Ingress resources are just configuration objects. Without an Ingress Controller, nothing processes the rules. If the ingressClassName doesn't match an IngressClass connected to a running controller, the Ingress is effectively ignored. Always verify kubectl get ingressclass and that the controller Pod is running.</em></p>
+
+<p><strong>Q3:</strong> Which Service type provides external access using a port in the range 30000-32767 on every cluster node?</p>
+<ul>
+<li>A) ClusterIP</li>
+<li>B) ExternalName</li>
+<li>C) NodePort ✓</li>
+<li>D) LoadBalancer</li>
+</ul>
+<p><em>Explanation: NodePort opens a port in the 30000-32767 range on every Node in the cluster. External traffic can reach the Service via NodeIP:NodePort. This is typically used for development and testing. LoadBalancer provides a cloud load balancer with a stable external IP, which is preferred for production.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/chapters/05-services-networking/lessons/10-networkpolicies-exam-strategy.md

@@ -0,0 +1,236 @@
+---
+id: ckad-d5-l10
+title: 'Bài 10: NetworkPolicies & CKAD Exam Strategy'
+slug: 10-networkpolicies-exam-strategy
+description: >-
+  NetworkPolicy ingress/egress rules, default-deny patterns và pod selector.
+  CKAD exam strategy: kubectl shortcuts, --dry-run pattern và time management.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 10
+section_title: "Domain 5: Services and Networking (20%)"
+course:
+  id: lt-ckad-series-001
+  title: 'Luyện thi CKAD — Certified Kubernetes Application Developer'
+  slug: luyen-thi-ckad
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-ckad-bai10-networkpolicy.png" alt="NetworkPolicy — ingress/egress rules, default-deny và AND/OR logic" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="networkpolicy">1. NetworkPolicy</h2>
+
+<p>Mặc định, tất cả Pods trong cluster có thể communicate với nhau. NetworkPolicy giới hạn traffic dựa trên labels.</p>
+
+<pre><code class="language-text">Default: All pods can talk to all pods (no restriction)
+
+After applying default-deny-all:
+  Pod A ──✗──► Pod B (blocked)
+  Pod A ──✗──► Pod C (blocked)
+
+After applying allow policy:
+  Pod A (app=frontend) ──✓──► Pod B (app=backend, port 3000)
+  Pod A ──✗──► Pod C (app=database) (still blocked)</code></pre>
+
+<h2 id="policy-syntax">2. NetworkPolicy Syntax</h2>
+
+<pre><code class="language-text">apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: backend-policy
+  namespace: production
+spec:
+  podSelector:         # Applies to these pods (empty = all pods in ns)
+    matchLabels:
+      app: backend
+  policyTypes:
+  - Ingress            # Controls inbound traffic
+  - Egress             # Controls outbound traffic
+  ingress:
+  - from:
+    - podSelector:     # Allow from pods with this label
+        matchLabels:
+          app: frontend
+    - namespaceSelector: # Allow from pods in these namespaces
+        matchLabels:
+          name: production
+    ports:
+    - protocol: TCP
+      port: 3000
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: database
+    ports:
+    - protocol: TCP
+      port: 5432</code></pre>
+
+<blockquote><p><strong>Exam tip — AND vs OR trong NetworkPolicy:</strong><br/>
+<code>from: [{podSelector}, {namespaceSelector}]</code> = OR (pod from either selector)<br/>
+<code>from: [{podSelector + namespaceSelector}]</code> in SAME item = AND (pod matching both)<br/>
+Đây là một trong những câu hỏi trap nhất của CKAD.</p></blockquote>
+
+<h2 id="common-patterns">3. Common Patterns</h2>
+
+<pre><code class="language-text">Pattern 1: Default deny all ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}     # Empty = match ALL pods
+  policyTypes:
+  - Ingress
+  # No ingress rules = deny all ingress
+
+Pattern 2: Default deny all (both ingress + egress)
+---
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  # No rules = deny all
+
+Pattern 3: Allow all ingress (override deny)
+---
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - {}  # Empty rule = allow all ingress</code></pre>
+
+<table>
+<thead><tr><th>Pattern</th><th>policyTypes</th><th>Rules</th><th>Effect</th></tr></thead>
+<tbody>
+<tr><td>Deny all ingress</td><td>[Ingress]</td><td>Không có ingress rules</td><td>Block all inbound</td></tr>
+<tr><td>Deny all egress</td><td>[Egress]</td><td>Không có egress rules</td><td>Block all outbound</td></tr>
+<tr><td>Allow specific</td><td>[Ingress]</td><td>ingress rules listed</td><td>Allow matching only</td></tr>
+<tr><td>Allow DNS egress</td><td>[Egress]</td><td>to port 53 (UDP+TCP)</td><td>Allow DNS queries</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> NetworkPolicy chỉ hoạt động nếu CNI plugin hỗ trợ (Calico, Cilium, Weave). <strong>Flannel không hỗ trợ NetworkPolicy!</strong> Ingress/Egress rules là additive — nếu nhiều policies apply đến cùng Pod, Kubernetes OR tất cả rules lại.</p></blockquote>
+
+<h2 id="exam-strategy">4. CKAD Exam Strategy</h2>
+
+<pre><code class="language-text">Thông tin exam:
+- 2 giờ, ~15-20 tasks thực hành (performance-based)
+- Mỗi task có value % khác nhau (ưu tiên task cao điểm trước)
+- Pass score: 66%
+- Được dùng docs: kubernetes.io/docs + helm.sh/docs
+
+Keyboard shortcuts quan trọng:
+  k = kubectl (export alias k=kubectl trong exam, đã set sẵn)
+  CTRL+R = search command history
+  CTRL+A = go to beginning of line</code></pre>
+
+<pre><code class="language-text">Workflow cho mỗi task:
+
+1. ĐỌC KỸ task description (đặc biệt để ý namespace!)
+2. Switch context nếu cần:
+   kubectl config use-context cluster-name
+3. Set namespace shortcut:
+   export ns=target-namespace
+   alias kn="kubectl -n $ns"
+4. Dùng --dry-run=client -o yaml để generate YAML:
+   kubectl run pod --image=nginx --dry-run=client -o yaml > pod.yaml
+5. Edit YAML, apply, verify:
+   kubectl apply -f pod.yaml
+   kubectl get pods -n $ns</code></pre>
+
+<h2 id="dry-run-pattern">5. --dry-run Pattern</h2>
+
+<pre><code class="language-text"># Generate YAML templates nhanh hơn viết tay:
+
+Pod:
+  kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
+
+Deployment:
+  kubectl create deployment myapp --image=nginx --replicas=3 \
+    --dry-run=client -o yaml > deploy.yaml
+
+Service (ClusterIP):
+  kubectl create service clusterip myapp --tcp=80:8080 \
+    --dry-run=client -o yaml > svc.yaml
+
+ConfigMap:
+  kubectl create configmap myconfig --from-literal=k=v \
+    --dry-run=client -o yaml > cm.yaml
+
+Secret:
+  kubectl create secret generic mysecret --from-literal=pass=secret \
+    --dry-run=client -o yaml > secret.yaml
+
+Job:
+  kubectl create job myjob --image=busybox -- echo hello \
+    --dry-run=client -o yaml > job.yaml
+
+CronJob:
+  kubectl create cronjob mycron --image=busybox --schedule="*/1 * * * *" \
+    -- echo hello --dry-run=client -o yaml > cron.yaml</code></pre>
+
+<h2 id="kubectl-shortcuts">6. Essential kubectl Shortcuts</h2>
+
+<table>
+<thead><tr><th>Lệnh đầy đủ</th><th>Short form</th></tr></thead>
+<tbody>
+<tr><td><code>kubectl get pods</code></td><td><code>k get po</code></td></tr>
+<tr><td><code>kubectl get deployments</code></td><td><code>k get deploy</code></td></tr>
+<tr><td><code>kubectl get services</code></td><td><code>k get svc</code></td></tr>
+<tr><td><code>kubectl get namespaces</code></td><td><code>k get ns</code></td></tr>
+<tr><td><code>kubectl get persistentvolumeclaims</code></td><td><code>k get pvc</code></td></tr>
+<tr><td><code>kubectl get configmaps</code></td><td><code>k get cm</code></td></tr>
+<tr><td><code>kubectl get serviceaccounts</code></td><td><code>k get sa</code></td></tr>
+<tr><td><code>kubectl get networkpolicies</code></td><td><code>k get netpol</code></td></tr>
+<tr><td><code>kubectl describe pod mypod</code></td><td><code>k describe po mypod</code></td></tr>
+<tr><td><code>kubectl delete pod mypod --force</code></td><td><code>k delete po mypod --force</code></td></tr>
+</tbody>
+</table>
+
+<h2 id="cheatsheet">7. Final CKAD Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Domain</th><th>Key Topics</th><th>% Weight</th></tr></thead>
+<tbody>
+<tr><td>App Design & Build</td><td>Multi-container, Init Containers, Jobs, CronJobs, volumes</td><td>20%</td></tr>
+<tr><td>App Deployment</td><td>Rolling updates, rollbacks, Helm, Kustomize</td><td>20%</td></tr>
+<tr><td>App Observability</td><td>Probes (liveness/readiness/startup), logs, debug</td><td>15%</td></tr>
+<tr><td>App Env/Config/Security</td><td>ConfigMaps, Secrets, SecurityContext, SA, Resources, QoS</td><td>25%</td></tr>
+<tr><td>Services & Networking</td><td>Services, Ingress, NetworkPolicies</td><td>20%</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">8. Practice Questions</h2>
+
+<p><strong>Q1:</strong> You apply a NetworkPolicy with podSelector: {} and policyTypes: [Ingress] but no ingress rules. What happens?</p>
+<ul>
+<li>A) All ingress traffic is allowed (no rules = no restriction)</li>
+<li>B) All ingress traffic to ALL pods in the namespace is denied ✓</li>
+<li>C) All pods are deleted</li>
+<li>D) Only external ingress is denied; internal pod-to-pod traffic is allowed</li>
+</ul>
+<p><em>Explanation: podSelector: {} matches ALL pods in the namespace. policyTypes: [Ingress] says this policy controls ingress. Having no ingress rules means zero traffic is allowed. This is the "default deny all ingress" pattern. Pod-to-pod traffic within the cluster is also denied because NetworkPolicy controls all ingress, regardless of source.</em></p>
+
+<p><strong>Q2:</strong> In a NetworkPolicy, what is the difference between these two from clauses?<br/>
+Clause A: from: [{podSelector: {app: web}}, {namespaceSelector: {env: prod}}]<br/>
+Clause B: from: [{podSelector: {app: web}, namespaceSelector: {env: prod}}]</p>
+<ul>
+<li>A) They are identical</li>
+<li>B) Clause A: allow from pods with app=web OR from any pod in env=prod namespace. Clause B: allow only from pods with app=web AND in env=prod namespace ✓</li>
+<li>C) Clause A uses AND logic, Clause B uses OR logic</li>
+<li>D) Clause B is invalid YAML syntax</li>
+</ul>
+<p><em>Explanation: In NetworkPolicy, when podSelector and namespaceSelector are in SEPARATE list items (separated by -), they use OR logic. When they are in the SAME list item (same indentation level, no -), they use AND logic. This is a critical distinction and a common exam trap.</em></p>
+
+<p><strong>Q3:</strong> During the CKAD exam, you need to create a Deployment with a specific Pod spec. What is the fastest approach?</p>
+<ul>
+<li>A) Write the entire YAML from memory</li>
+<li>B) Search kubernetes.io docs and copy-paste example YAML</li>
+<li>C) Use kubectl create deployment --dry-run=client -o yaml to generate a template, then edit ✓</li>
+<li>D) Use helm to deploy a chart with default values</li>
+</ul>
+<p><em>Explanation: The --dry-run=client -o yaml pattern generates valid YAML without creating resources. You redirect to a file, edit only the fields that differ, then apply. This is faster than manual YAML authoring and less likely to have syntax errors. Combining with > file.yaml lets you make precise edits.</em></p>

package/content/series/luyen-thi/luyen-thi-ckad/index.md

@@ -8,7 +8,7 @@ description: >-
   App Deployment (20%), Services & Networking (20%), App Observability (15%).
   10 bài học kèm bài tập thực hành terminal.
 
-featured_image: null
+featured_image: images/blog/luyen-thi-ckad-banner.png
 level: intermediate
 duration_hours: 28
 lesson_count: 10