Let's say something like this is being returned when attempting to delete a resource, such as a service account. This happened to me when attempting to delete a service account from one of the default namespaces such as the "default" namespace on Red Hat OpenShift on Amazon Web Services (ROSA), even as cluster-admin.

~]# oc whoami
cluster-admin

~]# oc delete my-service-account --namespace default
Error from server (Deleting protected service account under namespace default is not allowed): admission webhook "serviceaccount-validation.managed.openshift.io" denied the request: Deleting protected service account under namespace default is not allowed

This is not limited to only the "default" namespace. I also had this issue when a service account was mistakenly created in the kube-system namespace, even as cluster-admin.

~]# oc whoami
cluster-admin

~]# oc delete my-service-account --namespace kube-system
Error from server (Deleting protected service account under namespace kube-system is not allowed): admission webhook "serviceaccount-validation.managed.openshift.io" denied the request: Deleting protected service account under namespace kube-system is not allowed

This has something to do with the sre-serviceaccount-validation webhook resource.

]$ oc get ValidatingWebhookConfiguration 
NAME                                                   WEBHOOKS   AGE
sre-serviceaccount-validation                          1          15d

I opened a case with Red Hat support and they confirmed that certain resources (such as service accounts) in certain namespace (such as default and kube-system) cannot be deleted on ROSA, even as cluster-admin. A case must be opened with Red Hat to have the resource deleted.