From client-go code against a 3.11 server (from the cluster-bot) if the pod is deleted it looks like something in the middle (probably admission plugin) is wrapping the 404 with a 403. It should not wrap, and should return pod "launch-aws" not found. 2019/06/23 22:08:27 Unable to retrieve config contents for ci-ln-x4h7l62/launch-aws: pods "launch-aws" is forbidden: pods "launch-aws" not found Set to high because it may still be broken in 4.1/4.2/upstream.
https://github.com/openshift/origin/blob/release-3.11/pkg/security/apiserver/admission/sccadmission/scc_exec.go#L53-L56 pod, err := d.client.Core().Pods(a.GetNamespace()).Get(a.GetName(), metav1.GetOptions{}) if err != nil { return admission.NewForbidden(a, err) } It should properly return not found.
Confirmed with payload: 4.3.0-0.nightly-2019-12-05-213858, the issue has fixed: [root@dhcp-140-138 oc-client]# oc get po NAME READY STATUS RESTARTS AGE django-psql-example-1-build 0/1 Completed 0 2m1s django-psql-example-1-cx7wf 1/1 Running 0 40s django-psql-example-1-deploy 0/1 Completed 0 48s postgresql-1-deploy 0/1 Completed 0 2m postgresql-1-qxf2j 1/1 Running 0 112s [root@dhcp-140-138 oc-client]# oc delete po postgresql-1-qxf2j pod "postgresql-1-qxf2j" deleted [root@dhcp-140-138 oc-client]# oc describe po/postgresql-1-qxf2j Error from server (NotFound): pods "postgresql-1-qxf2j" not found
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062