Validate CSP permissions

pkg/monitor/cluster/cluster.go

@@ -25,6 +25,7 @@ import (
 	arov1alpha1 "github.com/Azure/ARO-RP/pkg/operator/apis/aro.openshift.io/v1alpha1"
 	aroclient "github.com/Azure/ARO-RP/pkg/operator/clientset/versioned"
 	"github.com/Azure/ARO-RP/pkg/util/steps"
+	"github.com/Azure/ARO-RP/pkg/validate/dynamic"
 )
 
 type Monitor struct {
@@ -44,6 +45,7 @@ type Monitor struct {
 
 	ocpclientset  client.Client
 	hiveclientset client.Client
+	validator     dynamic.Dynamic
 
 	// access below only via the helper functions in cache.go
 	cache struct {
@@ -55,7 +57,7 @@ type Monitor struct {
 	}
 }
 
-func NewMonitor(log *logrus.Entry, restConfig *rest.Config, oc *api.OpenShiftCluster, m metrics.Emitter, hiveRestConfig *rest.Config, hourlyRun bool) (*Monitor, error) {
+func NewMonitor(log *logrus.Entry, restConfig *rest.Config, oc *api.OpenShiftCluster, m metrics.Emitter, hiveRestConfig *rest.Config, hourlyRun bool, validator dynamic.Dynamic) (*Monitor, error) {
 	r, err := azure.ParseResourceID(oc.ID)
 	if err != nil {
 		return nil, err
@@ -127,6 +129,7 @@ func NewMonitor(log *logrus.Entry, restConfig *rest.Config, oc *api.OpenShiftClu
 		m:             m,
 		ocpclientset:  ocpclientset,
 		hiveclientset: hiveclientset,
+		validator:     validator,
 	}, nil
 }
 
@@ -199,6 +202,7 @@ func (mon *Monitor) Monitor(ctx context.Context) (errs []error) {
 		mon.emitHiveRegistrationStatus,
 		mon.emitOperatorFlagsAndSupportBanner,
 		mon.emitPucmState,
+		mon.emitValidatePermissions,
 		mon.emitCertificateExpirationStatuses,
 		mon.emitEtcdCertificateExpiry,
 		mon.emitPrometheusAlerts, // at the end for now because it's the slowest/least reliable

pkg/monitor/cluster/validatepermissions.go

@@ -0,0 +1,44 @@
+package cluster
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/ARO-RP/pkg/validate/dynamic"
+)
+
+/***************************************************************
+	Monitor the Cluster Service Prinicpal required Permissions
+****************************************************************/
+
+func (mon *Monitor) emitValidatePermissions(ctx context.Context) error {
+	subnets := []dynamic.Subnet{{
+		ID:   mon.oc.Properties.MasterProfile.SubnetID,
+		Path: "properties.masterProfile.subnetId",
+	}}
+
+	err := mon.validator.ValidateVnet(ctx, mon.oc.Location, subnets, mon.oc.Properties.NetworkProfile.PodCIDR,
+		mon.oc.Properties.NetworkProfile.ServiceCIDR)
+	if err != nil {
+		mon.emitGauge("cluster.validate.permissions", 1, map[string]string{
+			"ValidateVnetPermissions": "Required permissions missing",
+		})
+	}
+
+	err = mon.validator.ValidateSubnets(ctx, mon.oc, subnets)
+	if err != nil {
+		mon.emitGauge("cluster.validate.permissions", 1, map[string]string{
+			"ValidateSubnet": "Required permissions Missing",
+		})
+	}
+
+	err = mon.validator.ValidateDiskEncryptionSets(ctx, mon.oc)
+	if err != nil {
+		mon.emitGauge("cluster.validate.permissions", 1, map[string]string{
+			"ValidateDiskEncryptionSet": "Required permissions Missing",
+		})
+	}
+	return nil
+}

pkg/monitor/cluster/validatepermissions_test.go

@@ -0,0 +1,12 @@
+package cluster
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"testing"
+)
+
+func TestEmitValidatePermissions(t *testing.T) {
+
+}

pkg/monitor/worker.go

@@ -9,15 +9,21 @@ import (
 	"reflect"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/go-autorest/autorest/azure"
+	"github.com/jongio/azidext/go/azidext"
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/rest"
 
 	"github.com/Azure/ARO-RP/pkg/api"
+	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/monitor/cluster"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore"
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 	"github.com/Azure/ARO-RP/pkg/util/recover"
 	"github.com/Azure/ARO-RP/pkg/util/restconfig"
+	"github.com/Azure/ARO-RP/pkg/validate/dynamic"
 )
 
 // This function will continue to run until such time as it has a config to add to the global Hive shard map
@@ -246,7 +252,48 @@ func (mon *monitor) workOne(ctx context.Context, log *logrus.Entry, doc *api.Ope
 		log.Warnf("no hiveShardConfigs set for shard %d", shard)
 	}
 
-	c, err := cluster.NewMonitor(log, restConfig, doc.OpenShiftCluster, mon.clusterm, hiveRestConfig, hourlyRun)
+	var spClientCred azcore.TokenCredential
+	var pdpClient remotepdp.RemotePDPClient
+	spp := doc.OpenShiftCluster.Properties.ServicePrincipalProfile
+	_env, err := env.NewEnv(ctx, log)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	r, err := azure.ParseResourceID(doc.OpenShiftCluster.ID)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	sub := mon.subs[r.SubscriptionID]
+	tenantID := sub.Subscription.Properties.TenantID
+	options := _env.Environment().ClientSecretCredentialOptions()
+	spTokenCredential, err := azidentity.NewClientSecretCredential(
+		tenantID, spp.ClientID, string(spp.ClientSecret), options)
+
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	scopes := []string{_env.Environment().ResourceManagerScope}
+	spAuthorizer := azidext.NewTokenCredentialAdapter(spTokenCredential, scopes)
+
+	spDynamic := dynamic.NewValidator(
+		log,
+		_env,
+		_env.Environment(),
+		sub.ID,
+		spAuthorizer,
+		spp.ClientID,
+		dynamic.AuthorizerClusterServicePrincipal,
+		spClientCred,
+		pdpClient,
+	)
+
+	c, err := cluster.NewMonitor(log, restConfig, doc.OpenShiftCluster, mon.clusterm, hiveRestConfig, hourlyRun, spDynamic)
 	if err != nil {
 		log.Error(err)
 		mon.m.EmitGauge("monitor.cluster.failedworker", 1, map[string]string{

test/e2e/monitor.go

@@ -20,7 +20,7 @@ var _ = Describe("Monitor", func() {
 		By("creating a new monitor instance for the test cluster")
 		mon, err := cluster.NewMonitor(log, clients.RestConfig, &api.OpenShiftCluster{
 			ID: resourceIDFromEnv(),
-		}, &noop.Noop{}, nil, true)
+		}, &noop.Noop{}, nil, true, nil)
 		Expect(err).NotTo(HaveOccurred())
 
 		By("running the monitor once")