Annotation driven just in time and state-based RBAC policy control

What is claimed is: 1 . A method comprising: inserting an annotation into a code base comprising a function, wherein the annotation comprises a resource identifier that identifies a resource corresponding to the function; compiling, by a processing device, the code base into compiled code, wherein, during the compiling, the method further comprises: inserting into the code base, based on the annotation, a first request prior to the function that requests permission to access the resource corresponding to the resource identifier; and inserting into the code base, based on the annotation, a second request subsequent to the function to turn off permission to access the resource corresponding to the resource identifier; deploying the compiled code as a container to a target environment; executing the compiled code by the container, wherein, during the executing of the compiled code, the method further comprises: sending, from the container, the first request to a trusted controller to request permission for the container to access the resource; responsive to receiving the first request at the trusted controller, formatting, by the trusted controller, a first policy request based on a plug-in corresponding to the resource; sending the first policy request from the trusted controller to the resource to turn on permission for the container to access the resource; responsive to sending the first request, executing, by the container, the function at the resource; responsive to executing the function at the resource, sending, from the container, the second request to the trusted controller to turn off permission for the container to access the resource; responsive to receiving the second request at the trusted controller, formatting, by the trusted controller, a second policy request based on the plug-in corresponding to the resource; and sending, by the trusted controller to the resource, the second policy request to turn off permission for the container to access the resource. 2 . The method of claim 1 , further comprising: responsive to a policy change at the resource, modifying the plug-in at the trusted controller to create a modified plug-in; and formatting, by the trusted controller, the first policy request and the second policy request based on the modified plug-in. 3 . The method of claim 1 , wherein the annotation comprises a state-based policy that, during the compiling, the state-based policy is inserted into the first request, the method further comprising: responsive to receiving the first request that comprises the state-based policy, analyzing, by the trusted controller, the state-based policy against one or more conditions corresponding to the container and the resource; and inhibiting, by the trusted controller, a policy request to request permission for the container to access the resource based on the analyzing. 4 . The method of claim 1 , wherein the annotation comprises a time-based policy that, during the compiling, the time-based policy is inserted into the first request, the method further comprising: responsive to receiving the first request that comprises the time-based policy, analyzing, by the trusted controller, the time-based policy against a current time; and inhibiting, by the trusted controller, a policy request to request permission for the container to access the resource based on the analyzing. 5 . The method of claim 1 , further comprising: creating, by the trusted controller, a historical usage pattern based on historical activity between the container and the resource; comparing, by the trusted controller, the historical usage pattern against a current usage pattern between the container and the resource; and generating an alert based on the comparing indicating that a difference between the current usage pattern and the historical usage pattern exceeds a threshold. 6 . A system comprising: a memory; and a processing device operatively coupled to the memory, the processing device to: insert an annotation into a code base comprising a function, wherein the annotation comprises a resource identifier that identifies a resource corresponding to the function; compile, by the processing device, the code base into compiled code, the processing device further to: insert into the code base, based on the annotation, a first request prior to the function that requests permission to access the resource corresponding to the resource identifier; and insert into the code base, based on the annotation, a second request subsequent to the function to turn off permission to access the resource corresponding to the resource identifier; deploy the compiled code as a container to a target environment; execute the compiled code by the container to: send, from the container, the first request to a trusted controller to request permission for the container to access the resource; responsive to receiving the first request at the trusted controller, format, by the trusted controller, a first policy request based on a plug-in corresponding to the resource; send the first policy request from the trusted controller to the resource to turn on permission for the container to access the resource; responsive to sending the first request, execute, by the container, the function at the resource; responsive to executing the function at the resource, send, from the container, the second request to the trusted controller to turn off permission for the container to access the resource; responsive to receiving the second request at the trusted controller, format, by the trusted controller, a second policy request based on the plug-in corresponding to the resource; and send, by the trusted controller to the resource, the second policy request to turn off permission for the container to access the resource. 7 . The system of claim 6 , wherein the trusted controller is further to: responsive to a policy change at the resource, modify the plug-in at the trusted controller to create a modified plug-in; and format the first policy request and the second policy request based on the modified plug-in. 8 . The system of claim 6 , wherein the annotation comprises a state-based policy that, during the compilation, the state-based policy is inserted into the first request, the trusted controller is further to: responsive to receiving the first request that comprises the state-based policy, analyze the state-based policy against one or more conditions corresponding to the container and the resource; and inhibit a policy request to request permission for the container to access the resource based on the analysis. 9 . The system of claim 6 , wherein the annotation comprises a time-based policy that, during the compilation, the time-based policy is inserted into the first request, the trusted controller is further to: responsive to receiving the first request that comprises the time-based policy, analyze the time-based policy against a current time; and inhibit a policy request to request permission for the container to access the resource based on the analysis. 10 . The system of claim 6 , wherein the trusted controller is further to: create a historical usage pattern based on historical activity between the container and the resource; compare the historical usage pattern and a current usage pattern of activity between the container and the resource; and generate an alert based on the comparison indicating that a difference between the current usage pattern and the historical usage pattern exceeds a threshold. 11 . A non-transitory computer-readable medium having instructions stored thereon which, when executed by a processing de