Software containers with security policy enforcement at a data storage device level

What is claimed is: 1. A data storage device comprising: a non-volatile memory (NVM) having a portion allocated for use by a software container having an application executed by a host device to store and retrieve container data associated with the application, the software container having a unique session key generated responsive to deployment of the software container, the session key valid over a predetermined time period defined as a predetermined elapsed time interval; and a data storage device controller circuit configured to transfer the container data between the portion of the NVM and the host device responsive to access commands supplied by the host device to the data storage device during the execution of the application, each access command including an indication of the predetermined time period and a token derived from the unique session key, the data storage device controller circuit authorizing the transfer of the container data within the portion of the NVM for a selected access command responsive to verification of the unique session key in the selected access command, extraction of the indication of the predetermined time period from the selected access command, and verification that the selected access command was received during the predetermined time period using the extracted indication of the predetermined time period. 2. The data storage device of claim 1 , wherein the data storage device controller circuit verifies the unique session key for the selected access command by determining the unique session key forms a portion of the selected access command and by determining that the selected access command was received by the data storage device prior to a conclusion of the predetermined time period. 3. The data storage device of claim 1 , wherein the data storage device controller circuit is further configured to deny the transfer of data with the portion of the NVM for a second selected access command responsive to the second selected access command not including the unique session key or responsive to the second selected access command including the unique session key but received, by the data storage device, after a conclusion of the predetermined time period. 4. The data storage device of claim 1 , wherein the data storage device controller circuit is further configured to authorize the transfer of the container data with the portion of the NVM for the selected access command responsive to a determination that the selected access command further includes a unique container key, wherein a different session key is assigned to the software container each time that the software container is deployed, and wherein the same container key is used by the software container each time that the software container is deployed. 5. The data storage device of claim 1 , characterized as a solid-state drive (SSD), the NVM comprising solid-state semiconductor memory. 6. The data storage device of claim 1 , wherein the NVM comprises at least one rotatable data recording disc. 7. The data storage device of claim 1 , wherein the data storage device controller circuit performs at least one cryptographic function to verify the session key in the selected access command. 8. The data storage device of claim 1 , wherein the selected access command comprises a selected one of a read command to read data from the portion of the NVM, a write command to write data to the portion of the NVM, or a status command to obtain a status for a previously issued access command. 9. The data storage device of claim 1 , wherein the data storage device controller circuit further generates a session log as a data structure in a local memory, the session log providing a list of each transfer of data blocks to or from the host device associated with the execution of the application. 10. The data storage device of claim 9 , wherein the data storage device controller circuit further applies a selected cryptographic function to the session log. 11. The data storage device of claim 1 , wherein the data storage device controller circuit comprises a hypervisor portion that executes an operating system to provide a virtual machine (VM) environment for execution of the application. 12. A system for deploying software containers in a processing environment, comprising: a plurality of data storage devices each having a storage device controller circuit and a non-volatile memory (NVM); a container manager circuit configured to deploy a software container in a virtual machine environment and to assign, to the deployed software container, a unique session key and a corresponding elapsed time period that defines a predetermined elapsed time interval over which the session key will remain valid, the container manager circuit conveying to the storage device controller circuit of each of the plurality of data storage devices the unique session key and the corresponding elapsed time period; and a processor circuit adapted to issue access commands to the data storage devices to transfer data between a processor memory and an allocated portion of the NVM of each selected data storage device responsive to execution, by the processor circuit, of an application of the software container, each access command comprising a token derived using the session key and an indication of the corresponding elapsed time period, the storage device controller circuit of the selected data storage device authorizing servicing of each of the access commands received from the processor circuit having the token based on a determination, by the storage device controller circuit of the selected data storage device, that the access commands were received by the selected data storage device prior to expiration of the elapsed time period responsive to extraction of the indication of the corresponding elapsed time period from the associated access command. 13. The system of claim 12 , wherein the container manager circuit comprises an orchestrator circuit and a mapping circuit, the orchestrator circuit configured to generate the software container and to generate a different session key for each deployment of the software container during which the application is executed by the processor circuit, the mapping circuit configured to select the processor circuit and the portions of the NVM of each of the data storage devices for use during each deployment of the software container. 14. The system of claim 12 , wherein each data storage device generates a separate session log as a data structure in a local memory that describes each transfer of data blocks with the associated portion of the NVM, and wherein the container manager circuit comprises an agent circuit configured to accumulate and combine the separate session logs from the data storage devices to form a combined log as a data structure in an audit circuit memory to provide a block level map of transfers of data blocks during the session. 15. The system of claim 14 , wherein the agent circuit comprises a cryptographic circuit configured to apply a selected cryptographic function to the combined log to provide protected log data which are stored in a memory. 16. The system of claim 12 , wherein each selected data storage device controller circuit verifies the unique session key for each selected access command received by the selected data storage device controller circuit by determining the unique session key and an indication of the predetermined time period each respectively forms a portion of the selected access command and by determining that the selected access command was issued to the data storage device prior to a conc