When a hosted cluster is removed from ACM, it triggers the hosted cluster instance of the config-policy-controller to be uninstalled on the hosting cluster.

If any ConfigurationPolicy uses pruneObjectBehavior, they will have finalizers set on them. During an uninstall, the finalizers are immediately removed on the next evaluation of the ConfigurationPolicy with pruneObjectBehavior set so that the uninstall can proceed immediately.

The issue is if the ConfigurationPolicy sets evaluationInterval to a long value, the finalizer won't be removed until the next evaluation time, which could be hours. SD's environment sets this to 2 hours as of now.

This is not an issue when it's not deployed in hosted mode because the CRD is also deleted at the same time, which causes the ConfigurationPolicy to have a deletionTimestamp which then causes immediate evaluation for the finalizer to be removed.

Another issue is that the config-policy-controller pod was deleted before the cleanup could occur. This happens because the controller would just exit as soon as the SIGINT signal was received.