DETAILED ACTION
This office action is in response to the application filed on 12/11/2025. Claim(s) 1-23 is/are pending and are examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/11/2025 has been entered.
Response to Arguments
Applicant's arguments with respect to amended claim 1, 12, and 13 have been fully considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1 and 12-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 10,484,334 B1), hereinafter Lee in view of in view of Bandarupalli (US 2023/0148158 A1), hereinafter Banda.
Regarding Claim(s) 1, 12, and 13 Lee teaches:
A method for applying a unified policy across multiple computing environments, comprising: (Lee Col. 50 Ln. 38-61 teaches, the extended chamber can cross cloud boundaries and facilitates a single unified policy enforcement end-to-end over multiple cloud. Lee Col. 4 Ln. 41-67 teaches, A computer-implemented or computer-executable version of the invention may be embodied using, stored on, or associated with computer-readable medium or non-transitory computer-readable medium.) the first software container cluster deployed in a first computing environment; (Lee Col. 2 Ln. 1-7 teaches, the firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.)
applying the single policy on a second resource in a second computing environment. (Lee Col. 2 Ln. 1-7 teaches, the firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.)
and a second software […] across the first computing environment and the second computing environment. (Lee Col. 2 Ln. 1-7 teaches, the firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.)
Lee does not appear to explicitly teach but in related art:
configuring an admission controller deployed in a first software container cluster to receive a first policy and a second policy from a unified policy engine, (Banda ¶ 190 teaches, The policy controller 228 selects first and second policies of a plurality of policies enabled for enforcement in a cluster, each of the first and second policies comprising a set of rules and corresponding to a different set of operations performed in the cluster (step 800).)
configuring the admission controller to merge the received first policy and the second policy to generate a single policy (Banda ¶ 190 teaches, In response to determining that the first and second policies correspond to differing first and second policy types, the policy controller merges the first and second policies into an aggregate policy to be enforced at a selected hierarchical level.)
configuring the admission controller to apply the single policy to a resource of the first software container cluster; and (Banda ¶ 190 teaches, In response to determining that the first and second policies correspond to differing first and second policy types, the policy controller merges the first and second policies into an aggregate policy to be enforced at a selected hierarchical level.)
thereby, the applied single policy is provided for the first software container cluster (Banda ¶4 teaches, merging the first and second policies into an aggregate policy to be enforced at a selected hierarchical level. ¶ 190 The policy controller selects first and second policies of a plurality of policies enabled for enforcement in a cluster)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Lee with Banda, to modify the system for distributed firewall security that extends across different cloud computing networks of Lee with the merging and application of policies of Banda. The motivation to do so, Banda ¶ 190, for policy enforcement in a cluster.
Claim(s) 2-3, 6, 14-15, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Banda as applied to claim 1 above, and further in view of Szigeti (US 2024/0403437 A1), hereinafter Szigeti.
Regarding Claim(s) 2 and 14 Lee in view of Banda teaches:
The method of claim 1, further comprising: (Lee in view of Banda teaches the parent claim above.)
the second software container deployed in a second computing environment. (Lee Col. 2 Ln. 1-7 teaches, the firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. (i.e. second environment) The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.)
Lee in view of Banda does not appear to explicitly teach but in related art:
configuring an admission controller deployed in a second software container cluster to receive the policy from the unified policy engine, (Szigeti ¶ 55 teaches, for example, application security manager 402 may be implemented as a component of a controller such as an admission controller. For instance, application security manager 402 may be a component of an admission controller that can enforce deployment requirements and restrictions in a cluster (e.g., upon every workload start and/or any configuration change)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Lee in view of Banda with Szigeti, to modify the system for distributed firewall security that extends across different cloud computing networks of Lee with the merging and application of policies of Banda with the admission controller of Szigeti. The motivation to do so, Szigeti ¶ 27, to improve manageability and reduce maintenance.
Regarding Claim(s) 3 and 15 Lee-Banda-Szigeti teaches:
The method of claim 2, further comprising: (Lee-Banda-Szigeti teaches the parent claim above.)
configuring the admission controller deployed in the second software container cluster to apply the received policy to a resource of the second software container. (Szigeti ¶ 55 teaches, for example, application security manager may be implemented as a component of a controller such as an admission controller. For instance, application security manager may be a component of an admission controller that can enforce deployment requirements and restrictions in a cluster (e.g., upon every workload start and/or any configuration change)
The motive given in Claim 2 is equally applicable to the above claim.
Regarding Claim(s) 6 and 18 Lee-Banda-Szigeti teaches:
The method of claim 1, further comprising: (Lee in view of Banda teaches the parent claim above.)
applying the policy to a second resource deployed in the first computing environment. (Lee Col. 12 Ln. 1-11 teaches, the first cloud chamber includes computing resources such as first and second virtual machines. Szigeti ¶ 55 teaches, for example, application security manager 402 may be implemented as a component of a controller such as an admission controller. For instance, application security manager 402 may be a component of an admission controller that can enforce deployment requirements and restrictions in a cluster (e.g., upon every workload start and/or any configuration change)
The motive given in Claim 2 is equally applicable to the above claim.
Regarding Claim(s) 7 and 19 Lee in view of Banda teaches:
The method of claim 6, (Lee in view of Banda teaches the parent limitation above.) wherein the second resource is any one of: a virtual machine, a software container, a serverless function, a code object in an infrastructure as code declaratory code, and a combination thereof. (Lee Col. 12 Ln. 1-11 teaches, the first cloud chamber includes computing resources such as first and second virtual machines.)
The motive given in Claim 1 is equally applicable to the above claim.
Claim(s) 4-5 and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Banda as applied to claim 1 above, and further in view of Dharmaprikar (US 2023/0126234 A1), hereinafter Dharm.
Regarding Claim(s) 4 and 16 Lee in view of Banda teaches:
The method of claim 1, (Lee in view of Banda teaches the parent claim above.) wherein the second resource is a second software container cluster generated based on a code object from which the first software container cluster is deployed. (Dharm ¶ 80 and abstract teaches, upon receiving a request to generate a snapshot for object (i.e., resource generated based on an object), the data backup and restore system 150 uses the snapshot tool 180 to dynamically generate a snapshot that includes volume data and content data 430. By dynamically generating a snapshot, volume data and content data may be generated together to be included in the snapshot.)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Lee in view of Banda with Dharm, to modify the system for distributed firewall security that extends across different cloud computing networks of Lee with the policy merging of Banda with the snapshot of an object of Dharm. The motivation to do so, Dharm ¶ 46, to improve storage density.
Regarding Claim(s) 5 and 17 Lee-Banda-Dharm teaches:
The method of claim 1, wherein the resource is any one of: (Lee in view of Banda teaches the parent claim above.)
a node, a container, a pod, a service, a volume, a namespace, a deployment, a replica controller, a replicaset, a daemonset, a statefulset, a configmap, a job, and any combination thereof. (Dharm ¶ 80 and abstract teaches, upon receiving a request to generate a snapshot for object (i.e., a snapshot is a volume), the data backup and restore system 150 uses the snapshot tool 180 to dynamically generate a snapshot that includes volume data and content data 430. By dynamically generating a snapshot, volume data and content data may be generated together to be included in the snapshot.)
The motive given in Claim 4 is equally applicable to the above claim.
Claim(s) 8-10 and 20-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Banda as applied to claim 1 above, and further in view of Kashyap (US 2024/0296077 A1), hereinafter Kashyap.
Regarding Claim(s) 8 and 20 Lee in view of Banda teaches:
The method of claim 1, further comprising: (Lee in view of Banda teaches the parent claim above.)
intercepting a request at a control plane of the first software container cluster; (Kashyap ¶ 100 teaches, Admission controller 804 is a component in the control plane that intercepts the request to Kubernetes API 802.)
sending the request to the admission controller; and (Kashyap ¶ 100 teaches, Admission controller 804 is a component in the control plane that intercepts the request to Kubernetes API 802)
configuring the admission controller to apply the policy to the request. (Kashyap ¶ 100 teaches, Admission controller 804 is a component in the control plane that intercepts the request to Kubernetes API 802 and invokes a user defined webhook process that uses storage predictor 806 to examine and change the request content. (i.e., apply the policy))
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Lee in view of Banda with Kashyap, to modify the system for distributed firewall security that extends across different cloud computing networks of Lee with the merging of policies of Banda with the admission controller for interception of Kashyap. The motivation to do so constitutes applying a known technique of intercepting data to known devices and/or methods for applying security rules across cloud environments ready for improvement to yield predictable results of applying rules to all components.
Regarding Claim(s) 9 and 21 Lee-Banda-Kashyap teaches:
The method of claim 8, (Lee-Banda-Kashyap teaches the parent limitation above.) wherein the request is intercepted between a container of the first software container cluster and the control plane by a webhook of the control plane. (Kashyap ¶ 100 teaches, Admission controller 804 is a component in the control plane that intercepts the request to Kubernetes API 802 and invokes a user defined webhook process that uses storage predictor 806 to examine and change the request content.)
The motive given in Claim 8 is equally applicable to the above claim.
Regarding Claim(s) 10 and 22 Lee-Banda-Kashyap teaches:
The method of claim 8, (Lee-Banda-Kashyap teaches the parent limitation above.) wherein the request includes an instruction which when initiated by the control plane, deploys a software container in the first software container cluster. (Kashyap ¶ 64 teaches, this request can be generated by deployment process 221 that deploys applications 256 in containers 250.)
The motive given in Claim 8 is equally applicable to the above claim.
Claim(s) 11 and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Banda as applied to claim 1 above, and further in view of Ali (US 12,003,543 B1), hereinafter Ali.
Regarding Claim(s) 11 Lee in view of Banda teaches:
The method of claim 1, wherein the admission controller is any one of: (Lee in view of Banda teaches the parent claim above.) a mutating admission controller, a validating admission controller, and a combination thereof. (Ali Col. 1 Ln. 25-33 teaches, This system includes a mutating admission controller and a validating admission controller for performing mutating processes and additional validating processes on API requests received by the API server, respectively.)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Lee in view of Banda with Ali, to modify the system for distributed firewall security that extends across different cloud computing networks of Lee with the merging of policies of Banda with the validating and mutating admission controller of Ali. The motivation to do so, Ali Col. 1 Ln. 30-33, performing mutating processes and additional validating processes on API requests received by the API server
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20240272958 A1 - DISTRIBUTED OPERATING SYSTEM IMPLEMENTED WITHIN A COMPUTER CLUSTER
US 20240241944 A1 - SECURITY INTENTS AND TRUST COORDINATION FOR CLOUD NATIVE WORKLOADS
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.B.K./Examiner, Art Unit 2408
/LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408