DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/4/25 has been entered.
Response to Arguments
Applicant's arguments filed 12/4/25 have been fully considered but they are not persuasive.
Regarding Applicant’s remarks, Applicant mainly argues that the combination of references do not disclose “wherein the label identity is generated from a normalized string combining one or more labels of the first pod and one or more labels of a namespace corresponding to the first pod.” However, the examiner disagrees.
Central concept of present application is to determine label identity and adding label identity into header of data packet for inter-cluster communication for pods to enforce network policy based on the label identity.
Khalid discloses generation of custom header that include UID to identify specific pods based on labels or network information, and to enforce specific network policies based on the UIDs. Khalid does not explicitly the UID/label identity is generated from normalized string combining one or more labels of the first pod and one or more labels of a namespace corresponding to the first pod. However, Pollitt discloses application pod metadata include various types of information including cluster identity, namespace identity, label identity, etc. that can be used to identify pods and network rule associated with the pods (Pollitt: [0016]; [0030]: each pod has a set of one or more user defined labels… a network policy associated with a container-orchestrator system is configured to use label expressions to identify the one or more pods to which the network policy applies; [0037]: pod metadata/label identity are based on various identities including namespace identity and application pod identity and labels). It would have been obvious to one having ordinary skill in the art to generate UID based on combination of various pod metadata because Khalid and Pollitt are in the same field of endeavor to establish communication between pods. The motivation to combine would be to allow fined grained network security.
Accordingly, Applicant’s argument is not persuasive in light of above explanation.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-5 and 7-20 are rejected under 35 U.S.C. 103 as being unpatentable over Khalid et al. U.S. Pub. No. 2024/0291910 (hereinafter Khalid) in view of Pollitt et al. U.S. 2021/0185093 (hereinafter Pollitt).
As per claim 1, 8 and 15, Khalid discloses method/system/media, comprising:
one or processors coupled to one or more memories that store instructions, that when executed by the one or more processors, cause the system to:
receive a data packet from a first pod in a first cluster of a cluster set through a pod interface, wherein the data packet targets a second pod in a second cluster of the cluster set (Khalid: [0030]-[0033]: communicate from one pod to another pod regardless of whether they are in the same cluster or different clusters; Fig. 2; [0085]: communication between pods on different clusters);
determine a label identity for the first pod from a table of pods and label identities (Khalid: [0050]-[0054]: labels and corresponding policies are stored in database…each label header includes source UID and destination UID to identify each pod; [0085]-[0086]: UID/label identity is created with an “admin role” to allow communication between pods in different clusters), wherein the label identity is generated from normalized string (Khalid: [0030]: UID can be based on various types of information and assign to a pod);
add the label identity for the first pod in a header of the data packet (Khalid: [0024]-[0025]: custom header to tag packets with unique identifier… packet transmitted from pod to another pod through SDN that are distributed across multiple clusters; [0087]: a label header is added coming from pod 202 and destined for pod 226); and
communicate the data packet from the first cluster to the second cluster through a gateway node (Khalid: Fig. 2; [0087]-[0090]: label headers are used by switches/gateway devices to route packet based on policies from one cluster to another).
Khalid does not explicitly disclose wherein the label identity is generated from a normalized string combining one or more labels of the first pod and one or more labels of a namespace corresponding to the first pod. However, Pollitt disclose a container-orchestration system to automate, deploy, scale and manage containerized application in the form of application pods, wherein network policy uses pod metadata such as cluster identity, namespace identity, pod identity, pod labels, etc. to determine whether connectivity is allowed (Pollitt: [0016]; [0030]: each pod has a set of one or more user defined labels… a network policy associated with a container-orchestrator system is configured to use label expressions to identify the one or more pods to which the network policy applies; [0037]: pod metadata/label identity are based on various identities including namespace identity and application pod identity and labels). It would have been obvious to one having ordinary skill in the art to generate label identity based various types of metadata associated with pods because Khalid and Pollitt are in the same field of endeavor to establish communication between pods. The motivation to combine would be to allow fined grained network security.
As per claim 2, 9 and 16, Khalid as modified discloses the limitations of claims 1, 8 and 15 respectively. Khalid further discloses wherein the instructions, when executed by the one or more processors, further cause the system to:
receive the data packet at the second cluster (Khalid: [0089]: ingress switch receives packet);
extract the label identity from the data packet (Khalid: [0089]: extract UID from the packet to associate label header with the packet);
determine an ingress rule associated with the label identity (Khalid: [0089]: ingress switch determines policies associated with the header label); and
apply the ingress rule to the data packet (Khalid: [0089]: forward packet to destination based on label header).
As per claim 3, 10 and 17, Khalid as modified discloses the limitations of claims 2, 9 and 16 respectively. Khalid further discloses wherein the instructions, when executed by the one or more processors, further cause the system to import a network policy, including the ingress rule, from a leader cluster in the cluster set (Khalid: [0029]-[0030]: network policies are defined by SDN controller, stored in database, and distributed to different clusters associated with the SDN).
As per claim 4, 11 and 18, Khalid as modified discloses the limitations of claims 3, 10 and 17 respectively. Khalid further discloses wherein the network policy specifies a cluster set scope for cross-cluster control (Khalid: Fig. 2; [0077]-[0078] and [0085]-[0089]: pods on different clusters communicate based on different policies).
As per claim 5, 14 and 20, Khalid as modified discloses the limitations of claims 2, 9 and 16 respectively. Khalid further discloses wherein the ingress rule is specified in a declarative network policy to permit access based on an application label of the first pod (Khalid: [0030]-[0031]: label based network policy).
As per claim 7, Khalid discloses the limitations of claim 1. Khalid further discloses wherein adding the label identity to the header comprises adding the label identity to a virtual network identifier (VNI) field of the header (Khalid: [0052] and [0054]: VXLAN header for the pod label).
As per claim 12 and 19, Khalid as modified discloses the limitations of claims 9 and 17 respectively. Khalid further discloses wherein controlling access further comprises dropping the data packet in accordance with the ingress rule (Khalid: [0079]: drop the packet according to rule).
As per claim 13, Khalid discloses the limitations of claims 2 and 9 respectively. Khalid further discloses wherein applying the ingress rule causes the system to forward the data packet to the second pod (Khalid: [0089]: forward packets coming from pod 202 destined to pod 226).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Khalid in view of Pollitt and further in view of Qiu CN112583655 (hereinafter Qiu).
As per claim 6, Khalid as modified discloses the limitation of claim 1. Khalid does not explicitly disclose wherein the label identity is a custom resource definition (CRD) object. However, Qiu discloses use of CRD in Kubernetes platform (Qiu: p6 last par. – p7 par. 3: use of CRD object to dynamically register object in a Kubernetes cluster). It would have been obvious to one having ordinary skill in the art to generate CRD object in virtual network identifier (VNI) of VXLAN disclosed by Khalid because they are analogous art involving establishing communication between applications in container orchestration system such as Kubernetes. The motivation to combine would be use of CRD object is well known in the art.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Juneja et al. U.S. 2025/0023844 discloses virtual IP for container pod based on custom resource definition (CRD) files.
Miriyala et al. U.S. 2024/0223454 discloses container orchestration platforms, such as Kubernetes, a network policy is pod-specific and applies to a pod or a group of pods, wherein network policy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods (Miriyala: [0035]-[0038]).
Tie et al. U.S. 2024/0419511 discloses zero-downtime upgrade with synchronization node customization in a container orchestration system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHIN-HON (ERIC) CHEN/ Primary Examiner, Art Unit 2431