I'm having a pod in a deployment reliably fail with a "SandboxChanged" error

I’m deploying an application with a basic architecture and Helm chart. I had previously been trying to do a rolling deployment with a standard kubectl apply command, but the update would always fail, with new, dead containers continually created with every deployment.

In search of a solution, I shifted over to using Helm in the hopes that it would solve itself. I still have the problem but am at least seeing a new error.

The pod starts fine, but suffers a pull failure.

Failed to pull image "registry.gitlab.com/<user>/<name>:<rag>": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.gitlab.com/v2/<user>/<name>/manifests/<tag>: unauthorized: HTTP Basic: Access denied

After the standard flow, I see a new error.

Pod sandbox changed, it will be killed and re-created.

After this, the standard Error: ImagePullBackOff loop begins.

What does this error mean? I want to stress that two of the three pods start just fine, but one pod always fails. As such, I assume it is not a problem with my Gitlab auth information.

If I delete my deployment before doing the new deploy, everything works.