From 1358f3fb1bfda335975a2518a0b395b2af43ec51 Mon Sep 17 00:00:00 2001
From: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
Date: Thu, 21 Mar 2024 13:22:27 -0400
Subject: [PATCH] Log "Forbidden" update errors

ref: https://issues.redhat.com/browse/ACM-10612
Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
(cherry picked from commit b5b610b08a4a0b2c0fea0e5763962345f7b9aa60)
---
 controllers/configurationpolicy_controller.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/controllers/configurationpolicy_controller.go b/controllers/configurationpolicy_controller.go
index b96bc546..995d99c3 100644
--- a/controllers/configurationpolicy_controller.go
+++ b/controllers/configurationpolicy_controller.go
@@ -2628,6 +2628,8 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 				// If an inform policy and the update is forbidden (i.e. modifying Pod spec fields), then return
 				// noncompliant since that confirms some fields don't match.
 				if k8serrors.IsForbidden(err) {
+					log.Info(fmt.Sprintf("Dry run update failed with error: %s", err.Error()))
+
 					r.setEvaluatedObject(obj.policy, obj.existingObj, false)
 
 					return true, "", false, false