[BUG] AKS EE install does not fail when Azure Arc does not have required permissions

[EliiseS]

Describe the bug

When setting up AKS EE with Azure Arc with a SP that does not have permissions to READ the resource group Azure Arc is set to be provisioned at the install succeeds and Azure Arc is initialized in the cluster, however Azure Arc pods will start to fail with certificate and volume mount issues.

When uninstall Azure Arc from the cluster and reinstalling it with Azure CLI command (using the same SP as above):

az connectedk8s connect --name aks-edge-stack-test --resource-group ***

We'll end up getting an error for not enough permissions to read resource group:

az connectedk8s connect -n aks-edge-stack-test -l eastus2 -g *** --subscription ***
This operation might take a while...

The outbound network connectivity check has failed for the endpoint - https://eastus2.obo.arc.azure.com:8084/
This will affect the "cluster-connect" feature. If you are planning to use "cluster-connect" functionality , please ensure outbound connectivity to the above endpoint.

The required pre-checks for onboarding have succeeded.
Http response error occured while making ARM request: (AuthorizationFailed) The client '***' with object id '***' does not have authorization to perform action 'Microsoft.Kubernetes/connectedClusters/read' over scope '/subscriptions/***/resourcegroups/***/providers/Microsoft.Kubernetes/connectedClusters/aks-edge-stack-test' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '***' with object id '***' does not have authorization to perform action 'Microsoft.Kubernetes/connectedClusters/read' over scope '/subscriptions/***/resourcegroups/***/providers/Microsoft.Kubernetes/connectedClusters/aks-edge-stack-test' or the scope is invalid. If access was recently granted, please refresh your credentials.
Summary: Failed to check if connected cluster resource already exists.

Because of this error the Azure CLI command never installs Azure Arc in the cluster, because they would fail to start as we saw with the AKS EE installation.

To Reproduce

Steps to reproduce the behavior:

1. Set up AKS EE with Azure Arc with a SP that does not have permissions to READ the resource group Azure Arc
2. See Azure Arc pods fail to start

Expected behavior

AKS EE should check that Azure Arc has the required permissions to proceed on the provided SP like the Azure CLI command and fail the installation process if not enough permissions are found.

Environment (please complete the following information):

• AKS Edge Essentials Version 1.26.6-1.4.109.0
• Kubernetes version 1.26.6-1.4.109.0
• Windows Host OS (please complete the following information):
  • Edition: Windows Server 2019 Standard
  • Version: 10.0.17763 Build 17763
  • Virtual Machine: Virtual machine in a local datacenter

[SummerSmith]

We have created a bug (25840088) to track this internally. I will post any updates here