@xdev-asia/xdev-knowledge-mcp 1.0.44 → 1.0.46

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/01-kien-truc-kubernetes.md

@@ -0,0 +1,137 @@
+---
+id: kcna-d1-l01
+title: 'Bài 1: Kubernetes Architecture & Core Components'
+slug: 01-kien-truc-kubernetes
+description: >-
+  Control plane vs Worker node. kube-apiserver, etcd, kube-scheduler,
+  controller-manager, kubelet, kube-proxy. Kubernetes objects overview.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 1
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai1-architecture.png" alt="Kubernetes Architecture — Control Plane và Worker Node components" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="overview">1. Tổng quan Kubernetes</h2>
+
+<p><strong>Kubernetes</strong> (K8s) là nền tảng orchestration container mã nguồn mở do Google phát triển, tặng cho CNCF năm 2014. Kubernetes tự động hóa việc triển khai, scaling và quản lý containerized applications.</p>
+
+<blockquote><p><strong>Exam tip:</strong> KCNA Domain 1 chiếm <strong>46%</strong> đề thi. Câu hỏi thường hỏi "Which component is responsible for..." — học thuộc vai trò từng component.</p></blockquote>
+
+<h2 id="architecture">2. Kiến trúc Kubernetes</h2>
+
+<p>Cluster Kubernetes gồm hai loại node: <strong>Control Plane</strong> và <strong>Worker Node</strong>.</p>
+
+<pre><code class="language-text">┌─────────────────────────────────────────────────────────┐
+│                    CONTROL PLANE                        │
+│  ┌──────────────┐  ┌─────────┐  ┌────────────────────┐ │
+│  │ kube-apiserver│  │  etcd   │  │kube-controller-mgr │ │
+│  │  (REST API)  │  │(DB key- │  │ - Node Controller  │ │
+│  │  front door  │  │ value)  │  │ - ReplicaSet Ctrl  │ │
+│  └──────────────┘  └─────────┘  │ - Endpoints Ctrl   │ │
+│  ┌──────────────┐               └────────────────────┘ │
+│  │kube-scheduler│                                       │
+│  │ (assign node)│                                       │
+│  └──────────────┘                                       │
+└─────────────────────────────────────────────────────────┘
+         │              │              │
+┌────────▼──────┐ ┌─────▼──────┐ ┌───▼────────────┐
+│  WORKER NODE 1│ │WORKER NODE 2│ │  WORKER NODE 3 │
+│  ┌──────────┐ │ │ ┌────────┐ │ │  ┌──────────┐  │
+│  │ kubelet  │ │ │ │kubelet │ │ │  │ kubelet  │  │
+│  │kube-proxy│ │ │ │k-proxy │ │ │  │kube-proxy│  │
+│  │ Pod Pod  │ │ │ │Pod Pod │ │ │  │ Pod Pod  │  │
+│  └──────────┘ │ │ └────────┘ │ │  └──────────┘  │
+└───────────────┘ └────────────┘ └────────────────┘</code></pre>
+
+<h2 id="control-plane">3. Control Plane Components</h2>
+
+<table>
+<thead><tr><th>Component</th><th>Vai trò</th><th>Từ khóa exam</th></tr></thead>
+<tbody>
+<tr><td><strong>kube-apiserver</strong></td><td>Cổng vào duy nhất của cluster, xử lý REST API. Mọi communication đều qua đây.</td><td>"single point of truth", "REST API", "authentication &amp; authorization"</td></tr>
+<tr><td><strong>etcd</strong></td><td>Key-value store lưu trữ toàn bộ cluster state. Là database của Kubernetes.</td><td>"cluster state", "consistent", "distributed key-value"</td></tr>
+<tr><td><strong>kube-scheduler</strong></td><td>Xem xét Pod chưa có node và chọn node phù hợp dựa trên resources, constraints.</td><td>"schedule", "assign node", "resource fit"</td></tr>
+<tr><td><strong>kube-controller-manager</strong></td><td>Chạy nhiều controller loops: Node, ReplicaSet, Endpoints, ServiceAccount, v.v.</td><td>"reconciliation loop", "desired state", "controller"</td></tr>
+<tr><td><strong>cloud-controller-manager</strong></td><td>Tích hợp với cloud provider API (AWS, GCP, Azure) — tùy chọn.</td><td>"cloud integration", "LoadBalancer provisioning"</td></tr>
+</tbody>
+</table>
+
+<h2 id="worker-node">4. Worker Node Components</h2>
+
+<table>
+<thead><tr><th>Component</th><th>Vai trò</th><th>Từ khóa exam</th></tr></thead>
+<tbody>
+<tr><td><strong>kubelet</strong></td><td>Agent chạy trên mỗi node, nhận PodSpec từ apiserver và đảm bảo containers chạy đúng.</td><td>"node agent", "PodSpec", "container health"</td></tr>
+<tr><td><strong>kube-proxy</strong></td><td>Quản lý network rules (iptables/IPVS) cho Services. Cho phép network communication đến Pods.</td><td>"networking", "iptables", "Service load balancing"</td></tr>
+<tr><td><strong>Container Runtime</strong></td><td>Software chạy containers: containerd, CRI-O. Docker đã bị deprecated.</td><td>"CRI", "containerd", "run containers"</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> <strong>kubelet</strong> là component duy nhất không chạy trong container — nó là systemd service trực tiếp trên node. Nếu kubelet crash, node sẽ NotReady.</p></blockquote>
+
+<h2 id="objects">5. Kubernetes Objects Cơ Bản</h2>
+
+<p>Mọi thứ trong Kubernetes là <strong>object</strong> — declarative resources được lưu trong etcd.</p>
+
+<table>
+<thead><tr><th>Object</th><th>Mô tả</th><th>Scope</th></tr></thead>
+<tbody>
+<tr><td><strong>Pod</strong></td><td>Unit nhỏ nhất, chứa 1+ containers chia sẻ network và storage</td><td>Namespaced</td></tr>
+<tr><td><strong>Namespace</strong></td><td>Virtual cluster, isolate resources</td><td>Cluster-wide</td></tr>
+<tr><td><strong>Node</strong></td><td>Worker machine (VM hoặc physical)</td><td>Cluster-wide</td></tr>
+<tr><td><strong>Deployment</strong></td><td>Manage stateless app replicas với rolling update</td><td>Namespaced</td></tr>
+<tr><td><strong>Service</strong></td><td>Stable network endpoint cho Pods</td><td>Namespaced</td></tr>
+<tr><td><strong>ConfigMap / Secret</strong></td><td>Configuration data</td><td>Namespaced</td></tr>
+<tr><td><strong>PersistentVolume</strong></td><td>Storage resource</td><td>Cluster-wide</td></tr>
+</tbody>
+</table>
+
+<h2 id="cheatsheet">6. Cheat Sheet — Component → Nhiệm vụ</h2>
+
+<table>
+<thead><tr><th>Câu hỏi</th><th>Trả lời</th></tr></thead>
+<tbody>
+<tr><td>Lưu cluster state ở đâu?</td><td><strong>etcd</strong></td></tr>
+<tr><td>Component nào chọn node cho Pod?</td><td><strong>kube-scheduler</strong></td></tr>
+<tr><td>Component nào chạy trên mỗi worker, quản lý Pods?</td><td><strong>kubelet</strong></td></tr>
+<tr><td>Component nào xử lý tất cả API calls?</td><td><strong>kube-apiserver</strong></td></tr>
+<tr><td>Component nào manage network rules cho Services?</td><td><strong>kube-proxy</strong></td></tr>
+<tr><td>Component nào watch và reconcile desired state?</td><td><strong>kube-controller-manager</strong></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">7. Practice Questions</h2>
+
+<p><strong>Q1:</strong> Which Kubernetes control plane component is responsible for watching newly created Pods that have no node assigned, and selecting a node for them?</p>
+<ul>
+<li>A) kube-apiserver</li>
+<li>B) kube-scheduler ✓</li>
+<li>C) kube-controller-manager</li>
+<li>D) kubelet</li>
+</ul>
+<p><em>Explanation: kube-scheduler watches for unscheduled Pods and assigns them to suitable nodes based on resource requirements, affinity rules, and constraints.</em></p>
+
+<p><strong>Q2:</strong> Where does Kubernetes store all cluster configuration and state?</p>
+<ul>
+<li>A) kube-apiserver memory</li>
+<li>B) /etc/kubernetes/ on each node</li>
+<li>C) etcd ✓</li>
+<li>D) kubelet database</li>
+</ul>
+<p><em>Explanation: etcd is the consistent, highly-available key-value store that serves as the backing store for all Kubernetes cluster data. Backing up etcd = backing up the entire cluster.</em></p>
+
+<p><strong>Q3:</strong> Which component on a Worker Node is responsible for ensuring containers described in PodSpecs are running and healthy?</p>
+<ul>
+<li>A) kube-proxy</li>
+<li>B) Container runtime</li>
+<li>C) kubelet ✓</li>
+<li>D) kube-controller-manager</li>
+</ul>
+<p><em>Explanation: kubelet is the node agent that receives PodSpecs from kube-apiserver and ensures the described containers are running. It reports node/Pod status back to the control plane.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/02-pods-workloads-controllers.md

@@ -0,0 +1,142 @@
+---
+id: kcna-d1-l02
+title: 'Bài 2: Pods, Workloads & Controllers'
+slug: 02-pods-workloads-controllers
+description: >-
+  Pod lifecycle. Deployments, ReplicaSets, StatefulSets, DaemonSets,
+  Jobs, CronJobs. Labels, selectors, annotations.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 2
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai2-pods-workloads.png" alt="Kubernetes Workload Controllers — Deployment, StatefulSet, DaemonSet, Job" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="pod">1. Pod — Đơn vị nhỏ nhất</h2>
+
+<p>Một <strong>Pod</strong> là nhóm 1 hoặc nhiều containers chia sẻ cùng network namespace (cùng IP, port space) và storage volumes. Pod là đơn vị scheduling trong Kubernetes.</p>
+
+<pre><code class="language-text">┌─────────────────────────────────────┐
+│              POD                    │
+│  IP: 10.244.1.5                     │
+│  ┌────────────┐  ┌───────────────┐  │
+│  │  Container │  │  Sidecar      │  │
+│  │   (app)    │  │  (log-agent)  │  │
+│  └────────────┘  └───────────────┘  │
+│       Shared Volume: /var/log       │
+└─────────────────────────────────────┘</code></pre>
+
+<h3 id="pod-lifecycle">Pod Lifecycle</h3>
+
+<table>
+<thead><tr><th>Phase</th><th>Ý nghĩa</th><th>Debug hint</th></tr></thead>
+<tbody>
+<tr><td><strong>Pending</strong></td><td>Chưa được schedule hoặc đang pull image</td><td>Check events: kubectl describe pod</td></tr>
+<tr><td><strong>Running</strong></td><td>Đang chạy, ít nhất 1 container đang active</td><td>Normal state</td></tr>
+<tr><td><strong>Succeeded</strong></td><td>Tất cả containers thoát với code 0</td><td>Job completed</td></tr>
+<tr><td><strong>Failed</strong></td><td>Ít nhất 1 container thoát với lỗi</td><td>kubectl logs --previous</td></tr>
+<tr><td><strong>Unknown</strong></td><td>Không liên lạc được với node</td><td>Node network issue</td></tr>
+<tr><td><strong>CrashLoopBackOff</strong></td><td>Container liên tục crash và restart</td><td>kubectl logs -p</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> <strong>CrashLoopBackOff</strong> không phải Pod phase chính thức — nó là Container state trong Waiting. Câu hỏi hay hỏi "pod phase" vs "container state".</p></blockquote>
+
+<h2 id="workloads">2. Workload Controllers</h2>
+
+<table>
+<thead><tr><th>Controller</th><th>Dùng khi</th><th>Đặc điểm nổi bật</th></tr></thead>
+<tbody>
+<tr><td><strong>Deployment</strong></td><td>Stateless apps (web server, API)</td><td>Rolling update, rollback, ReplicaSet management</td></tr>
+<tr><td><strong>ReplicaSet</strong></td><td>Đảm bảo N replicas (thường dùng qua Deployment)</td><td>Label selector, ít dùng trực tiếp</td></tr>
+<tr><td><strong>StatefulSet</strong></td><td>Stateful apps (database, Kafka, Elasticsearch)</td><td>Stable pod names (web-0, web-1), stable storage, ordered deployment</td></tr>
+<tr><td><strong>DaemonSet</strong></td><td>Agent chạy trên mọi node (logging, monitoring, network)</td><td>1 Pod/node, auto-deploy khi node mới join</td></tr>
+<tr><td><strong>Job</strong></td><td>Batch task chạy đến khi hoàn thành</td><td>completions, parallelism, backoffLimit</td></tr>
+<tr><td><strong>CronJob</strong></td><td>Periodic batch tasks</td><td>cron syntax, concurrencyPolicy, schedule</td></tr>
+</tbody>
+</table>
+
+<h3 id="deployment-vs-statefulset">Deployment vs StatefulSet</h3>
+
+<pre><code class="language-text">DEPLOYMENT (Stateless)          STATEFULSET (Stateful)
+─────────────────────           ────────────────────────
+Pod names: web-a1b2c3            Pod names: web-0, web-1, web-2
+Any order scale up/down          Ordered: web-0 first, then web-1...
+Shared or no storage             Each Pod gets its own PVC
+Pod replaced = new identity      Pod replaced = same identity
+Examples: nginx, api-server      Examples: MySQL, MongoDB, Kafka</code></pre>
+
+<h2 id="labels">3. Labels, Selectors & Annotations</h2>
+
+<table>
+<thead><tr><th>Concept</th><th>Dùng để</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td><strong>Labels</strong></td><td>Tag resources để select và group</td><td><code>app: frontend, env: prod</code></td></tr>
+<tr><td><strong>Selectors</strong></td><td>Query resources theo labels</td><td><code>selector: {app: frontend}</code></td></tr>
+<tr><td><strong>Annotations</strong></td><td>Metadata không dùng để select (build info, contact)</td><td><code>maintainer: team@company.com</code></td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Service tìm Pods qua <strong>selector</strong> matching Pod <strong>labels</strong>. Nếu selector không match, Service sẽ có empty Endpoints → traffic không đến được Pod.</p></blockquote>
+
+<h2 id="daemonset-usecase">4. DaemonSet Use Cases</h2>
+
+<pre><code class="language-text">NODE 1         NODE 2         NODE 3
+┌──────┐       ┌──────┐       ┌──────┐
+│fluentd│      │fluentd│      │fluentd│  ← Log collector DaemonSet
+│ Pod  │       │ Pod  │       │ Pod  │
+├──────┤       ├──────┤       ├──────┤
+│calico│       │calico│       │calico│  ← CNI network plugin DaemonSet
+│ Pod  │       │ Pod  │       │ Pod  │
+└──────┘       └──────┘       └──────┘</code></pre>
+
+<p>DaemonSets thường dùng cho: <strong>Fluentd/Filebeat</strong> (log collection), <strong>Prometheus Node Exporter</strong> (metrics), <strong>kube-proxy</strong> (networking), <strong>CNI plugins</strong> (Calico, Cilium).</p>
+
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Stateful app, cần stable identity?</td><td><strong>StatefulSet</strong></td></tr>
+<tr><td>1 Pod per node (monitoring agent)?</td><td><strong>DaemonSet</strong></td></tr>
+<tr><td>Stateless app với rolling update?</td><td><strong>Deployment</strong></td></tr>
+<tr><td>One-time batch processing?</td><td><strong>Job</strong></td></tr>
+<tr><td>Scheduled batch (nightly backup)?</td><td><strong>CronJob</strong></td></tr>
+<tr><td>Pod naming pattern cho StatefulSet?</td><td><code>name-0, name-1, name-2</code></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">6. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A company needs to deploy a MySQL database on Kubernetes with stable network identity and dedicated storage per replica. Which workload type should they use?</p>
+<ul>
+<li>A) Deployment with PersistentVolumeClaim</li>
+<li>B) StatefulSet ✓</li>
+<li>C) DaemonSet</li>
+<li>D) ReplicaSet</li>
+</ul>
+<p><em>Explanation: StatefulSet provides stable Pod names (mysql-0, mysql-1), ordered deployment/scaling, and each Pod gets its own PVC via volumeClaimTemplates. These properties are essential for databases.</em></p>
+
+<p><strong>Q2:</strong> Which workload ensures exactly one Pod runs on every node in the cluster, including future nodes that join?</p>
+<ul>
+<li>A) Deployment with replicas matching node count</li>
+<li>B) ReplicaSet with nodeSelector</li>
+<li>C) DaemonSet ✓</li>
+<li>D) StatefulSet</li>
+</ul>
+<p><em>Explanation: DaemonSet automatically deploys one Pod per node and watches cluster membership — when a new node joins, the DaemonSet controller immediately creates a Pod on it.</em></p>
+
+<p><strong>Q3:</strong> A Pod is in 'Pending' state. What is the MOST likely cause?</p>
+<ul>
+<li>A) The container application crashed</li>
+<li>B) No node satisfies the scheduling requirements ✓</li>
+<li>C) The liveness probe failed</li>
+<li>D) The container image is corrupted</li>
+</ul>
+<p><em>Explanation: Pending means the Pod has been accepted but hasn't started. Most common reasons: insufficient CPU/memory on nodes, unsatisfied node affinity/taints, or PVC not bound. Check kubectl describe pod events.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/03-services-networking-storage.md

@@ -0,0 +1,155 @@
+---
+id: kcna-d1-l03
+title: 'Bài 3: Services, Networking & Storage'
+slug: 03-services-networking-storage
+description: >-
+  Service types (ClusterIP, NodePort, LoadBalancer, ExternalName). CoreDNS
+  và service discovery. PersistentVolume, PVC, ConfigMap, Secret.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 3
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai3-services-networking.png" alt="Kubernetes Services và Networking — ClusterIP, NodePort, LoadBalancer" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="services">1. Service Types</h2>
+
+<p>Pods có IP tạm thời, bị xóa khi restart. <strong>Service</strong> cung cấp stable Virtual IP (ClusterIP) và load-balancing đến một nhóm Pods qua label selector.</p>
+
+<table>
+<thead><tr><th>Type</th><th>Reachable From</th><th>Use Case</th><th>Real-world Example</th></tr></thead>
+<tbody>
+<tr><td><strong>ClusterIP</strong></td><td>Cluster internal only</td><td>Backend microservices</td><td>Payment service → DB</td></tr>
+<tr><td><strong>NodePort</strong></td><td>External via NodeIP:Port (30000-32767)</td><td>Dev/test access</td><td>Demo app on bare metal</td></tr>
+<tr><td><strong>LoadBalancer</strong></td><td>External via cloud LB</td><td>Production apps on cloud</td><td>AWS/GCP internet traffic</td></tr>
+<tr><td><strong>ExternalName</strong></td><td>CNAME alias for external service</td><td>Integrate external DNS</td><td>legacy-db.company.com</td></tr>
+</tbody>
+</table>
+
+<pre><code class="language-text">External Traffic
+      │
+      ▼
+[LoadBalancer]          ← cloud provider LB (AWS ELB, GCP)
+      │
+[NodePort :30080]       ← all nodes expose port 30080
+      │
+[ClusterIP 10.96.5.3]  ← virtual IP, iptables/IPVS routing
+      │
+ ┌────┴────┐
+[Pod A] [Pod B]        ← matched by label selector</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> <strong>NodePort</strong> tự động tạo thêm <strong>ClusterIP</strong>. <strong>LoadBalancer</strong> tự động tạo thêm <strong>NodePort + ClusterIP</strong>. Mỗi type kế thừa type nhỏ hơn.</p></blockquote>
+
+<h2 id="coredns">2. CoreDNS & Service Discovery</h2>
+
+<p><strong>CoreDNS</strong> là DNS server mặc định trong Kubernetes cluster. Mỗi Service được đăng ký DNS record tự động.</p>
+
+<pre><code class="language-text">DNS format: {service}.{namespace}.svc.cluster.local
+
+Ví dụ:
+  Service "api" trong namespace "production":
+  → api.production.svc.cluster.local
+  → api.production.svc
+  → api.production
+  → api  (chỉ trong cùng namespace)</code></pre>
+
+<table>
+<thead><tr><th>DNS Query</th><th>Resolves To</th><th>Works From</th></tr></thead>
+<tbody>
+<tr><td><code>api</code></td><td>Service ClusterIP</td><td>Same namespace only</td></tr>
+<tr><td><code>api.production</code></td><td>Service ClusterIP</td><td>Any namespace</td></tr>
+<tr><td><code>api.production.svc.cluster.local</code></td><td>Service ClusterIP</td><td>Any namespace (FQDN)</td></tr>
+</tbody>
+</table>
+
+<h2 id="storage">3. Storage: PV, PVC, StorageClass</h2>
+
+<pre><code class="language-text">Storage lifecycle:
+                    STATIC                     DYNAMIC
+                    ─────                      ───────
+  Admin creates  → PersistentVolume     StorageClass (provision template)
+  App requests   → PersistentVolumeClaim → SC auto-provisions PV
+  Pod mounts     → PVC as volume</code></pre>
+
+<table>
+<thead><tr><th>Concept</th><th>Vai trò</th><th>Ai tạo</th></tr></thead>
+<tbody>
+<tr><td><strong>PersistentVolume (PV)</strong></td><td>Tài nguyên storage thực tế (NFS, EBS, GCE Disk)</td><td>Admin hoặc dynamic provisioner</td></tr>
+<tr><td><strong>PersistentVolumeClaim (PVC)</strong></td><td>Request storage với size + access mode</td><td>Developer / App</td></tr>
+<tr><td><strong>StorageClass</strong></td><td>Template tự động tạo PV khi có PVC</td><td>Admin</td></tr>
+</tbody>
+</table>
+
+<h3 id="access-modes">Access Modes</h3>
+
+<table>
+<thead><tr><th>Mode</th><th>Abbrev</th><th>Ý nghĩa</th><th>Ví dụ</th></tr></thead>
+<tbody>
+<tr><td>ReadWriteOnce</td><td><strong>RWO</strong></td><td>1 node đọc+ghi</td><td>EBS volume, local disk</td></tr>
+<tr><td>ReadOnlyMany</td><td><strong>ROX</strong></td><td>Nhiều nodes đọc</td><td>Static files on NFS</td></tr>
+<tr><td>ReadWriteMany</td><td><strong>RWX</strong></td><td>Nhiều nodes đọc+ghi</td><td>NFS, EFS, GlusterFS</td></tr>
+<tr><td>ReadWriteOncePod</td><td><strong>RWOP</strong></td><td>Chỉ 1 Pod (v1.22+)</td><td>Exclusive access needed</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> AWS EBS chỉ hỗ trợ <strong>RWO</strong>. Nếu câu hỏi yêu cầu nhiều Pods ghi đồng thời, cần dùng NFS (RWX). StatefulSet thường dùng RWO với mỗi Pod có PVC riêng.</p></blockquote>
+
+<h2 id="configmap-secret">4. ConfigMap & Secret</h2>
+
+<table>
+<thead><tr><th>Resource</th><th>Dùng cho</th><th>Encoding</th><th>Inject vào Pod</th></tr></thead>
+<tbody>
+<tr><td><strong>ConfigMap</strong></td><td>Config không nhạy cảm (URLs, flags, env files)</td><td>Plain text</td><td>Env var, volume file, CLI args</td></tr>
+<tr><td><strong>Secret</strong></td><td>Data nhạy cảm (passwords, API keys, TLS certs)</td><td>Base64 (NOT encrypted by default)</td><td>Env var (không khuyến khích), volume mount</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Secret chỉ là base64 encoded, <strong>KHÔNG phải encrypted</strong>. Để encrypt Secret at rest, cần bật <strong>Encryption Configuration</strong> ở API Server. Câu hỏi hay dùng "encrypted" như distractor sai.</p></blockquote>
+
+<h2 id="cheatsheet">5. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Expose app ra ngoài cluster trên cloud?</td><td><strong>LoadBalancer</strong> (hoặc Ingress)</td></tr>
+<tr><td>DNS name cho Service "db" trong ns "backend"?</td><td><code>db.backend.svc.cluster.local</code></td></tr>
+<tr><td>Cần storage shared giữa nhiều Pods?</td><td>PV với access mode <strong>RWX</strong></td></tr>
+<tr><td>Tự động provision storage khi deploy?</td><td><strong>StorageClass</strong> + PVC</td></tr>
+<tr><td>Secret có bị encrypt by default?</td><td><strong>Không</strong>, chỉ base64</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">6. Practice Questions</h2>
+
+<p><strong>Q1:</strong> A developer wants to access a backend database Service named "orders-db" from a different namespace called "frontend". Which DNS name should they use?</p>
+<ul>
+<li>A) orders-db</li>
+<li>B) orders-db.default.svc.cluster.local</li>
+<li>C) orders-db.backend.svc.cluster.local ✓</li>
+<li>D) backend.orders-db.cluster.local</li>
+</ul>
+<p><em>Explanation: Cross-namespace DNS requires the full format: {service}.{namespace}.svc.cluster.local. Short name "orders-db" only works within the same namespace.</em></p>
+
+<p><strong>Q2:</strong> Which Service type automatically creates a ClusterIP AND a NodePort?</p>
+<ul>
+<li>A) ClusterIP</li>
+<li>B) NodePort</li>
+<li>C) LoadBalancer ✓</li>
+<li>D) ExternalName</li>
+</ul>
+<p><em>Explanation: LoadBalancer is a superset — it creates ClusterIP + NodePort + cloud load balancer. NodePort includes ClusterIP, but ClusterIP is standalone with no external access.</em></p>
+
+<p><strong>Q3:</strong> A Secret contains a database password. A developer claims the password is "encrypted". Is this claim accurate?</p>
+<ul>
+<li>A) Yes, Kubernetes Secrets are encrypted with AES</li>
+<li>B) No, Secrets are only base64 encoded unless Encryption Configuration is enabled ✓</li>
+<li>C) Yes, Secrets are encrypted using etcd's built-in encryption</li>
+<li>D) No, Secrets are stored in plain text</li>
+</ul>
+<p><em>Explanation: By default, Secrets are stored as base64-encoded strings in etcd — which is NOT encryption. Administrators must configure EncryptionConfiguration on the API server to enable encryption at rest.</em></p>

package/content/series/luyen-thi/luyen-thi-kcna/chapters/01-kubernetes-fundamentals/lessons/04-rbac-security.md

@@ -0,0 +1,137 @@
+---
+id: kcna-d1-l04
+title: 'Bài 4: RBAC & Kubernetes Security'
+slug: 04-rbac-security
+description: >-
+  Role-Based Access Control (RBAC), ServiceAccounts, Network Policies,
+  Pod Security Standards và Security Context. Bảo mật Kubernetes cluster.
+duration_minutes: 55
+is_free: true
+video_url: null
+sort_order: 4
+section_title: "Domain 1: Kubernetes Fundamentals (46%)"
+course:
+  id: lt-kcna-series-001
+  title: 'Luyện thi KCNA — Kubernetes and Cloud Native Associate'
+  slug: luyen-thi-kcna
+---
+
+<img src="/storage/uploads/2026/04/k8s-cert-kcna-bai4-rbac.png" alt="RBAC Authorization Model — Subject, RoleBinding, Role, Rules" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+
+<h2 id="rbac">1. RBAC — Role-Based Access Control</h2>
+
+<p><strong>RBAC</strong> kiểm soát ai (User, Group, ServiceAccount) được làm gì (verbs) với tài nguyên nào (resources) trong namespace hoặc cluster.</p>
+
+<pre><code class="language-text">RBAC Flow:
+Subject (Who?)    →    Role/ClusterRole (What?)    →    RoleBinding (Links)
+
+  User "alice"          Role "pod-reader"              RoleBinding
+  ServiceAccount        - get pods                     alice → pod-reader
+  Group "devs"          - list pods                    (in namespace "dev")
+                        - watch pods</code></pre>
+
+<table>
+<thead><tr><th>Object</th><th>Scope</th><th>Dùng khi</th></tr></thead>
+<tbody>
+<tr><td><strong>Role</strong></td><td>Namespace</td><td>Quyền trong 1 namespace</td></tr>
+<tr><td><strong>ClusterRole</strong></td><td>Cluster-wide</td><td>Quyền trên toàn cluster hoặc non-namespaced resources (nodes)</td></tr>
+<tr><td><strong>RoleBinding</strong></td><td>Namespace</td><td>Gán Role or ClusterRole cho Subject trong 1 namespace</td></tr>
+<tr><td><strong>ClusterRoleBinding</strong></td><td>Cluster-wide</td><td>Gán ClusterRole cho Subject trên toàn cluster</td></tr>
+</tbody>
+</table>
+
+<blockquote><p><strong>Exam tip:</strong> Có thể dùng <strong>RoleBinding</strong> để gán <strong>ClusterRole</strong> vào 1 namespace cụ thể — đây là cách tái sử dụng permission template mà không cấp quyền toàn cluster. Rất hay xuất hiện trong exam!</p></blockquote>
+
+<h2 id="serviceaccounts">2. ServiceAccounts</h2>
+
+<p>Mỗi Pod có thể gắn một <strong>ServiceAccount</strong>. Token của ServiceAccount được mount tự động vào <code>/var/run/secrets/kubernetes.io/serviceaccount/</code>. Pods dùng token này để gọi Kubernetes API.</p>
+
+<pre><code class="language-text">Default ServiceAccount flow:
+  Pod → ServiceAccount → RBAC Role → API Server
+
+Ví dụ: Prometheus cần đọc Pod metrics:
+  ServiceAccount: prometheus-sa
+  ClusterRole: pod-metrics-reader (verbs: get, list, watch)
+  ClusterRoleBinding: prometheus-sa → pod-metrics-reader</code></pre>
+
+<h2 id="network-policies">3. Network Policies</h2>
+
+<p>Mặc định, tất cả Pods trong cluster có thể communicate với nhau. <strong>NetworkPolicy</strong> cho phép giới hạn traffic ingress/egress dựa trên Pod selector, namespace selector, hoặc IP block.</p>
+
+<pre><code class="language-text">❌ Default (no NetworkPolicy): All pods talk to all pods
+✅ With NetworkPolicy:
+   frontend → backend (allowed)
+   frontend → database (BLOCKED)
+   backend → database (allowed)</code></pre>
+
+<blockquote><p><strong>Exam tip:</strong> NetworkPolicy chỉ có tác dụng khi <strong>CNI plugin hỗ trợ</strong> (Calico, Cilium, Weave). Flannel không hỗ trợ NetworkPolicy. Nếu không có policy nào → allow all. Nếu có ít nhất 1 policy → default deny cho traffic được select.</p></blockquote>
+
+<h2 id="pod-security">4. Pod Security Standards</h2>
+
+<p>Kubernetes định nghĩa 3 <strong>Pod Security Standards</strong> (thay thế PodSecurityPolicy từ v1.25):</p>
+
+<table>
+<thead><tr><th>Profile</th><th>Mức độ hạn chế</th><th>Dùng cho</th></tr></thead>
+<tbody>
+<tr><td><strong>Privileged</strong></td><td>Không hạn chế</td><td>System/infra workloads (kube-system)</td></tr>
+<tr><td><strong>Baseline</strong></td><td>Ngăn escalation rõ ràng</td><td>Workloads thông thường</td></tr>
+<tr><td><strong>Restricted</strong></td><td>Tuân thủ hardening tối đa</td><td>Security-sensitive apps</td></tr>
+</tbody>
+</table>
+
+<h2 id="security-context">5. SecurityContext</h2>
+
+<p><strong>SecurityContext</strong> cấu hình bảo mật ở cấp Pod hoặc Container:</p>
+
+<table>
+<thead><tr><th>Security setting</th><th>Ý nghĩa</th></tr></thead>
+<tbody>
+<tr><td><code>runAsNonRoot: true</code></td><td>Container không được chạy với UID 0</td></tr>
+<tr><td><code>runAsUser: 1000</code></td><td>Chạy container với UID 1000</td></tr>
+<tr><td><code>readOnlyRootFilesystem: true</code></td><td>Filesystem read-only (write phải dùng volume)</td></tr>
+<tr><td><code>allowPrivilegeEscalation: false</code></td><td>Không cho process leo thang đặc quyền</td></tr>
+<tr><td><code>capabilities.drop: ["ALL"]</code></td><td>Bỏ tất cả Linux capabilities</td></tr>
+</tbody>
+</table>
+
+<h2 id="cheatsheet">6. Cheat Sheet</h2>
+
+<table>
+<thead><tr><th>Câu hỏi exam</th><th>Đáp án</th></tr></thead>
+<tbody>
+<tr><td>Pod cần gọi K8s API, dùng gì?</td><td><strong>ServiceAccount</strong></td></tr>
+<tr><td>Giới hạn quyền user trong 1 namespace?</td><td><strong>Role</strong> + <strong>RoleBinding</strong></td></tr>
+<tr><td>Giới hạn network traffic giữa Pods?</td><td><strong>NetworkPolicy</strong></td></tr>
+<tr><td>NetworkPolicy cần gì để hoạt động?</td><td>CNI plugin hỗ trợ (Calico, Cilium)</td></tr>
+<tr><td>Privileged → Restricted, Pod Security cần?</td><td><strong>Pod Security Admission</strong></td></tr>
+</tbody>
+</table>
+
+<h2 id="practice">7. Practice Questions</h2>
+
+<p><strong>Q1:</strong> An application Pod needs to access the Kubernetes API to list Pods in its own namespace. What should a cluster administrator create?</p>
+<ul>
+<li>A) ClusterRole with ClusterRoleBinding for all namespaces</li>
+<li>B) ServiceAccount with Role (list pods) and RoleBinding ✓</li>
+<li>C) Service with type LoadBalancer for API Server</li>
+<li>D) ConfigMap with API Server credentials</li>
+</ul>
+<p><em>Explanation: The Pod needs a ServiceAccount, a Role granting "list pods" in its namespace, and a RoleBinding linking them. Using ClusterRole would over-grant access across all namespaces.</em></p>
+
+<p><strong>Q2:</strong> A NetworkPolicy is applied to a Pod. What is the default behavior for traffic not explicitly matched by any rule?</p>
+<ul>
+<li>A) All traffic is allowed (default allow)</li>
+<li>B) Traffic is logged but not blocked</li>
+<li>C) Traffic that matches the Pod selector is denied; all other traffic passes ✓</li>
+<li>D) All traffic to/from the Pod is denied</li>
+</ul>
+<p><em>Explanation: Once a NetworkPolicy selects a Pod (via podSelector), all traffic not explicitly allowed is denied for that policy type (ingress/egress). Non-selected Pods remain unaffected and have full connectivity.</em></p>
+
+<p><strong>Q3:</strong> Which Pod Security Standard profile should be used for a system-level component that requires privileged access to the host?</p>
+<ul>
+<li>A) Restricted</li>
+<li>B) Baseline</li>
+<li>C) Privileged ✓</li>
+<li>D) SystemAdmin</li>
+</ul>
+<p><em>Explanation: The Privileged profile places no restrictions on Pods, allowing all capabilities. It's intended for system/infrastructure components. Baseline prevents known privilege escalations; Restricted enforces maximum hardening.</em></p>