Add instructions to set global_downstream_max_connections (#12761)

* doc-global-downstream-max-conn-helm * Add instructions to set global_downstream_max_connections with Helm * Fix https://github.com/istio/istio/issues/37443 * Fix linting errors * Address comments * Remove global_downstream_max_connections from .spelling and add backticks where missing * Simplify instructions on how to set global_downstream_max_connections
2023-02-23 16:25:55 +00:00 · 2023-02-23 16:25:55 +00:00 · 073ccdec9d
parent ff3b750d40
commit 073ccdec9d
2 changed files with 11 additions and 2 deletions
--- a/.spelling
+++ b/.spelling
@ -1113,4 +1113,4 @@ Zipkin
 Ziyang
 Zolotusky
 ztunnel
-ztunnels
+ztunnels
--- a/content/en/docs/ops/best-practices/security/index.md
+++ b/content/en/docs/ops/best-practices/security/index.md
@ -675,4 +675,13 @@ While most cloud providers support this feature now, many local development tool

 By default, Istio (and Envoy) have no limit on the number of downstream connections. This can be exploited by a malicious actor (see [security bulletin 2020-007](/news/security/istio-security-2020-007/)). To work around you this, you must configure an appropriate connection limit for your environment.

-{{< boilerplate cve-2020-007-configmap >}}
+### Configure `global_downstream_max_connections` value
+
+The following configuration can be supplied during installation:
+
+{{< text yaml >}}
+meshConfig:
+  defaultConfig:
+    runtimeValues:
+      "overload.global_downstream_max_connections": "100000"
+{{< /text >}}