Just noticed that after I update my appname:latest tag to a new image, the command I expected to run an exact debugging clone of a terminated POD is actually pulling the latest! I've searched (briefly) in Kubernetes and Openshift references, but found nothing specific. Looks like a bug, or at least counter-intuitive to debugging. Is there a way to force it, other than using explicit image IDs instead of tags in DeploymentConfigs?
The oc debug command would usually be run against the deployment config. Since there is no concept of versioning of resources such as deployment config, the command will use whatever image is matched by the deployment config at that time.
If the way you have set up the deployment config uses an image stream, then to maintain multiple versions of images so you can rollback to prior images, you shouldn't use latest tag alone. Instead each time you build and have a good image, tag that specific image in the image stream and then update the deployment config to use that tagged image in the image stream.
If that model was followed and you had incremented the tag version, then you could still go back to a prior version if you needed to debug it.
If you aren't using an image stream but are hosting on a remote registry, you would still want to tag each separate image you use so you can do the same.
I am not sure what you feel is a bug.