content/en/boilerplates/cve-2020-007-configmap.md
Create a config map by downloading custom-bootstrap-runtime.yaml. Update global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
{{< text bash >}} $ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml {{< /text >}}
Patch the ingress gateway deployment to use the above configuration. Download gateway-patch.yaml and apply it using the following command.
{{< text bash >}} $ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)" {{< /text >}}
Confirm that the new limits are in place.
{{< text bash >}} $ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}") $ kubectl --namespace istio-system exec -i -t "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
{ "entries": { "overload.global_downstream_max_connections": { "layer_values": [ "", "250000", "" ], "final_value": "250000" } }, "layers": [ "static_layer_0", "admin" ] } {{< /text >}}