Security policy generation using container metadata

What is claimed is: 1. A method for security in a container-based virtualization environment comprising: receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server; determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate; producing a low-level firewall rule set using the high-level declarative security policy; and applying the low-level firewall rule set to data network traffic. 2. The method of claim 1 , in which the metadata is received from the container orchestration layer using at least an application programming interface (API). 3. The method of claim 1 , in which: the metadata includes at least one of an image name, image type, service name, ports, and other tags and labels associated with the deployed container; and the at least one of the image name, image type, service name, ports, and other tags and labels is associated with the determined application or service. 4. The method of claim 3 , in which determining the application or service includes: ascertaining an image type associated with the deployed container using the metadata; and identifying the determined application or service using the image type. 5. The method of claim 1 , in which the deployed container is at least one of: a Docker container and a Rocket (rkt) container. 6. The method of claim 5 , in which the container orchestration layer is at least one of: Docker Swarm, Kubernetes, Diego, and Mesos. 7. The method of claim 1 , in which the determined application or service is at least one of: a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, file server, object-based storage, naming system, storage networking, and directory. 8. The method of claim 1 , in which the producing the low-level firewall rule set includes providing the high-level declarative security policy to a compiler. 9. The method of claim 1 , in which the applying the low-level firewall rule set includes providing the low-level firewall rule set to an enforcement point. 10. The method of claim 1 , further comprising: determining a potential violation of the high-level declarative security policy using the low-level firewall rule set; and performing at least one of: sending an alert, dropping communications associated with the potential violation, and forwarding communications associated with the potential violation. 11. A system for security in a container-based virtualization environment comprising: a hardware processor; and a memory coupled to the hardware processor, the memory storing instructions which are executable by the hardware processor to perform a method comprising: receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server; determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate; producing a low-level firewall rule set using the high-level declarative security policy; and applying the low-level firewall rule set to data network traffic. 12. The system of claim 11 , in which the metadata is received from the container orchestration layer using at least an application programming interface (API). 13. The system of claim 11 , in which: the metadata includes at least one of an image name, image type, service name, ports, and other tags and labels associated with the deployed container; and the at least one of the image name, image type, service name, ports, and other tags and labels is associated with the determined application or service. 14. The system of claim 13 , in which determining the application or service includes: ascertaining an image type associated with the deployed container using the metadata; and identifying the determined application or service using the image type. 15. The system of claim 11 , in which the deployed container is at least one of: a Docker container and a Rocket (rkt) container. 16. The system of claim 15 , in which the container orchestration layer is at least one of: Docker Swarm, Kubernetes, Diego, and Mesos. 17. The system of claim 11 , in which the determined application or service is at least one of: a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, file server, object-based storage, naming system, storage networking, and directory. 18. The system of claim 11 , in which the producing the low-level firewall rule set includes compiling the high-level declarative security policy, and the applying the low-level firewall rule set includes providing the low-level firewall rule set to an enforcement point. 19. The system of claim 11 , in which the method further comprises: determining a potential violation of the high-level declarative security policy using the low-level firewall rule set; and performing at least one of: sending an alert, dropping communications associated with the potential violation, and forwarding communications associated with the potential violation. 20. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for security in a container-based virtualization environment, the method comprising: receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server; determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate; producing a low-level firewall rule set using the high-level declarative security policy; and applying the low-level firewall rule set to data network traffic.