Marc Boorshtein

> @mlbiam could interesting if you could share some anonymous telemetry of your cluster, like a number of namespaces, workloads, services, etc. That would help us a lot with these...

To @lucasponce points: > The namespaces API (if it's not changed in recent versions) requires cluster admins, so, you'd need to ask if you can access or not. No, to...

@lucasponce some numbers for you: 42 clusters est per cluster: 100 nodes / 16x128 300 namespaces 600 users 60 tenants These are all on-prem clusters run as Anthos

As in the deployer for openstack isn't implemented yet?

we've forked this project to keep it up to date - https://github.com/tremolosecurity/kube-oidc-proxy. Here are the details of our changes - https://www.tremolosecurity.com/post/updating-kube-oidc-proxy

@danielrubin1989 no slack channel, but if you open an issue on https://github.com/tremolosecurity/kube-oidc-proxy we'll do our best to help out.

From what I remember the call to `/kiali/authenticate` is what triggers the initiation of the session with a subject access review (since the token can be anything, not just oidc)....

> To put it a bit more succinctly, the problem isn't that Kiali is making a call to /kiali/authenticate, it's that it's setting an invalid Authorization header first. Arguably, it...

> Our proxy supports authentication with both bearer tokens and basic auth credentials, so we can't just strip out Authorization headers. If we see an Authorization header, we have to...

think it is resolved, so much as we've identified the issue and where it needs to be fixed. i'm spread thin right now so i can't do it at the...