Description of problem: Currently, it is possible to add a managedPolicy in a ClusterGroupUpgrade manifest that is already enforced. Version-Release number of selected component (if applicable): 4.10 How reproducible: Always Steps to Reproduce: 1. Create an enforced ACM policy by creating an ACM policy directly or a PGT with the remediationAction equals to enforce 2. Verify that the policy is patching the targeted clusters 3. Create a CGU manifest that includes the previous enforced policy Actual results: A copy of the previous enforced policy is created by the UOCR in enforce mode too Expected results: No copy policy needs to be created by the UOCR since the original policy was set to enforce. Additional info:
Change to verified to unblock backport to 4.10