Ensuring Full Enforcement of ValidatingWebhookConfiguration for Namespace Lock

As mentioned in Dynamic Admission Control | Kubernetes

“After you create the webhook configuration, the system will take a few seconds to honor the new configuration.”

I recently encountered a situation where certain pod creation requests managed to bypass the validation of my validatingwebhookconfiguration, even after it had been created.

I’m currently working on a function that utilizes validatingwebhookconfiguration to enforce a “lock” on a namespace, preventing any pod creations within it. Initially, this approach worked effectively for me until i found out about this limitation.

I’m seeking assistance in finding a way to know when validatingwebhookconfiguration is fully honored and it is safe to say that after this point of time all pod creation requests will go through my validation is there a flag or event that can indicate it?