On-path dynamic policy enforcement and endpoint-aware policy enforcement for endpoints

What is claimed is: 1. A method comprising: receiving, by a network device local to an endpoint in a network environment from a centralized network controller, a network-wide endpoint policy; configuring the endpoint to inject a first policy metadata into first data traffic, wherein the first policy metadata includes data specific to the first endpoint for locally applying policies to the first endpoint; receiving, by the network device from the first endpoint, the first policy metadata injected into the first data traffic; determining, by the network device, an endpoint specific policy for the first endpoint by evaluating the first policy metadata with respect to the network-wide endpoint policy; and locally applying, by the network device, the endpoint specific policy to control additional data traffic associated with the first endpoint. 2. The method of claim 1 , wherein the network device is on-path in one or more traffic flows to or from the first endpoint and the network device receives the first policy metadata with the first data traffic through at least one of the one or more traffic flows. 3. The method of claim 1 , wherein the first endpoint specific policy first endpoint specific policy is derived from the network-wide endpoint policy based on the first policy metadata. 4. The method of claim 1 , wherein the first policy metadata includes the data describing local operation of the first endpoint in the network environment with respect to the first data traffic. 5. The method of claim 1 , wherein the first policy metadata includes policy-agnostic metadata for the first endpoint. 6. The method of claim 1 , wherein the first policy metadata includes policy-specific metadata for the first endpoint, and the policy-specific metadata is generated to apply one or more explicit policies for the first endpoint. 7. The method of claim 1 , further comprising: identifying, by the network device, past policy metadata injected into past data traffic and received from the first endpoint; and determining, by the network device, the first endpoint specific policy for the first endpoint by evaluating the first policy metadata and the past policy metadata with respect to the network-wide endpoint policy. 8. The method of claim 1 , further comprising: removing, at the network device, the first policy metadata from the first data traffic; and preventing dissemination of the first policy metadata outside of the network device and into the network environment. 9. The method of claim 1 , further comprising: receiving, at the network device, policy updates to the network-wide endpoint policy; aggregating, by the network device, the policy updates to generate aggregated policy updates for the network-wide endpoint policy; modifying, by the network device, the first endpoint specific policy based on the aggregated policy updates to generate one or more updated first endpoint-specific policies; and applying, by the network device, the one or more updated first endpoint-specific policies to further control the additional data traffic associated with the first endpoint based on the policy updates. 10. A system comprising: one or more processors; and a computer-readable medium comprising instructions stored therein, which when executed by the one or more processors, cause the one or more processors to perform operations prising: receive, by a network device local to an endpoint in a network environment from a centralized network controller, a network-wide endpoint policy; configure the endpoint to inject a first policy metadata into first data traffic, wherein the first policy metadata includes data specific to the first endpoint for locally applying policies to the first endpoint; receive, by the network device from the first endpoint, the first policy metadata injected into the first data traffic; determine, by the network device, an endpoint specific policy for the first endpoint by evaluating the first policy metadata with respect to the network-wide endpoint policy; and locally apply, by the network device, the endpoint specific policy to control additional data traffic associated with the first endpoint. 11. The system of claim 10 , wherein the network device is on-path in one or more traffic flows to or from the first endpoint and the network device receives the first policy metadata with the first data traffic through at least one of the one or more traffic flows. 12. The system of claim 10 , wherein the first endpoint specific policy is derived from the network-wide endpoint policy based on the first policy metadata. 13. The system of claim 10 , wherein the first policy metadata includes the data describing local operation of the first endpoint in the network environment with respect to the first data traffic. 14. The system of claim 10 , wherein the first policy metadata includes policy-agnostic metadata for the first endpoint. 15. The system of claim 10 , wherein the first policy metadata includes policy-specific metadata for the first endpoint, and the policy-specific metadata is generated to apply one or more explicit policies for the first endpoint. 16. The system of claim 10 , the operations further comprising: identify, by the network device, past policy metadata injected into past data traffic and received from the first endpoint; and determine, by the network device, the first endpoint specific policy for the first endpoint by evaluating the first policy metadata and the past policy metadata with respect to the network-wide endpoint policy. 17. The system of claim 10 , the operations further comprising: remove, at the network device, the first policy metadata from the first data traffic; and prevent dissemination of the first policy metadata outside of the network device and into the network environment. 18. The system of claim 10 , the operations further comprising: receive, at the network device, policy updates to the network-wide endpoint policy; aggregate, by the network device, the policy updates to generate aggregated policy updates for the network-wide endpoint policy; modify, by the network device, the endpoint specific policy based on the aggregated policy updates to generate one or more updated first endpoint-specific policies; and apply, by the network device, the one or more updated first endpoint-specific policies to further control the additional data traffic associated with the first endpoint based on the policy updates. 19. A non-transitory computer-readable storage medium comprising instructions stored therein, which when executed by one or more processors, cause the one or more processors to perform operations comprising: receive, by a network device local to an endpoint in a network environment from a centralized network controller, a network-wide endpoint policy; configure the endpoint to inject a first policy metadata into first data traffic, wherein the first policy metadata includes data specific to the first endpoint for locally applying policies to the first endpoint; receive, by the network device from the first endpoint, the first policy metadata injected into the first data traffic; determine, by the network device, an endpoint specific policy for the first endpoint by evaluating the first policy metadata with respect to the network-wide endpoint policy; and locally apply, by the network device, the endpoint specific policy to control additional data traffic associated with the first endpoint. 20. The non-transitory computer-readable storage mediu