chore: add CSP and CORS instructions

Author: olevski

docs/docs/20-admins/30-operation/50-remote.md

@@ -376,6 +376,81 @@ When using `"session_ingress_use_default_cluster_tls_cert": true`,
 _you have to set_ `"session_tls_secret_name": ""` as well, otherwise the API call will fail.
 :::
 
+:::note
+If creating the resource pool fails with a message like `Could not find cluster with id XXXXXX in the list of clusters`. This means that you either got the cluster ID wrong or you need to restart the `data_service`, `k8s_watcher` and `data_tasks` services after you have added a new kubeconfig to the kubeconfigs secret.
+:::
+
+### Security considerations
+
+Renku sessions are embedded in an iframe. And when you run the session on a remote cluster
+then the session hostname is different from the website hostname that hosts the iframe.
+So to make this work we need to set the `SameSite` property on the session cookie to `none`.
+
+This raises additional security concerns that should be mitigated as follows on the 
+remote cluster ingress configuration.
+
+:::note
+It may acceptable to just always open remote sessions in Renku via a separate tab.
+If this is the case then do not set the `SameSite` property to `none` and you do not have
+to implement the additional mitigations discussed below.
+:::
+
+1. Enable Cross-Origin Resource Sharing (CORS)
+
+```yaml
+nginx.ingress.kubernetes.io/enable-cors: "true"
+nginx.ingress.kubernetes.io/cors-allow-origin: "https://<remote hostname>"
+nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+nginx.ingress.kubernetes.io/cors-allow-methods: "GET, PUT, POST, DELETE, PATCH, OPTIONS"
+nginx.ingress.kubernetes.io/cors-allow-headers: "$http_access_control_request_headers"
+```
+
+:::info
+You should add the `--skip-auth-preflight=true` to oauth2proxy in the session.
+This can be done via Helm chart values on the amalthea-sessions Helm chart.
+:::
+
+2. Specify a Content Security Policy (CSP)
+
+This says what hosts can embed the session in an iframe. If you are using nginx ingress
+as the ingress controller, you can set this via the following ingress annotation:
+
+```yaml
+nginx.ingress.kubernetes.io/configuration-snippet: |
+  more_set_headers "Content-Security-Policy: frame-ancestors 'self' <remote hostname>";
+```
+
+With all of these ingress headers, the payload to create the cluster configuration via the API
+would look something like this:
+
+```yaml
+{
+  "name": "Remote Cluster",
+  "config_name": "remote-cluster.yaml",
+  "session_protocol": "https",
+  "session_host": "sessions.example.org",
+  "session_port": 443,
+  "session_path": "/sessions",
+  "session_ingress_class_name": "renku-user-session-ingress-class",
+  "session_ingress_annotations": {
+    "nginx.ingress.kubernetes.io/enable-cors": "true",
+    "nginx.ingress.kubernetes.io/cors-allow-origin": "https://<local hostname>",
+    "nginx.ingress.kubernetes.io/cors-allow-credentials": "true",
+    "nginx.ingress.kubernetes.io/cors-allow-methods": "GET, PUT, POST, DELETE, PATCH, OPTIONS",
+    "nginx.ingress.kubernetes.io/cors-allow-headers": "\"$http_access_control_request_headers\"",
+    "nginx.ingress.kubernetes.io/configuration-snippet": "more_set_headers \"Content-Security-Policy: frame-ancestors 'self' https://<local hostname>\";\n",
+  },
+  "session_storage_class": "renku-user-session-storage-class",
+  "session_tls_secret_name": "",
+  "session_ingress_use_default_cluster_tls_cert": true
+}
+```
+
+:::warning
+Removing or not setting the CORS and CSP headers above can have serious security implications.
+If you are using a different controller make sure you set all equivalent annotations.
+:::
+
 ### Create a resource pool for the remote cluster
 
 Once the cluster connection has been defined, you can use the GET operation to retrieve the cluster connection descriptor, and from there retrieve the associated ULID and create a resource pool which is linked to it.