We have auto-discovery enabled in ironic-inspector-image, which means that anything that boots IPA and is not being deployed will be introspected and registered in ironic. Since BMO cannot detect such nodes, they prevent normal enrollment later on because of MAC address duplication. Let us disable ironic auto-discovery until we support it in BMO.
Testing: make sure that just powering on a node (outside of openshift) does not result in adding it to ironic. For example: 1) Deploy masters 2) Power on a worker manually without adding it to OpenShift (e.g. via ipmitool or its web UI). 3) The worker may or may not boot the inspection ramdisk, but in the end should fail and no new node should appear in ironic. 3.1) If the worker does not network boot by default, it's worth manually setting it to network boot in the firmware settings (or using ipmitool).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633