Updating a Deployment by changing the "image:" field to point to a new ImageStream name or tag does not resolve to the the registry URI and causes the workload to fail

  Always  

 1. Create an ImageStream/imagestreamname with a tag "imagestreamtag"
 2. Create a Kustomization that defines a Deployment that references the ImageStream using .spec.template.spec.containers.image=imagestreamname:imagestreamtag      
 3. "kustomize build | oc apply --server-side -f -" to apply your Deployment
 4. Verify that the Deployment's .spec.template.spec.containers.image is rewritten to the RHOS internal registry URI like  registry.redhat.io/workload-namespace-here/imagestreamname@sha256:somedigesthere, a Pod is created, and the Pod pulls the image fine
 5. Repeat the same apply command again to rewrite the Deployment's image
 6. Verify that the image reference in the deployment is now "imagestreamname:imagestreamtag", it has not been rewritten
 7. observe "oc events" which will show pull errors for "docker.io/library" relating to the image     

deployment has .spec.template.spec.containers[0].image = imagestreamname:imagestreamtag

pod for deployment in ImagePullBackoff

kube events like:

Warning   Failed                            Pod/some-pod                         Failed to pull image "imagestreamname:imagestreamtag": reading manifest latest in docker.io/library/imagestreamname: requested access to the resource is denied  

 Deployment should have the image updated by RHOS to expand the imagestream tag when the deployment is patched to change the image.