Add GCE Kubernetes option to enable Windows DSR.

cluster/gce/config-default.sh

@@ -560,6 +560,9 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}"
 # unzipping the image layers to disk.
 export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}"
 
+# Enable Windows DSR (Direct Server Return)
+export WINDOWS_ENABLE_DSR="${WINDOWS_ENABLE_DSR:-false}"
+
 # TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver. 
 # If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites.
 export TLS_CIPHER_SUITES=""

cluster/gce/config-test.sh

@@ -601,6 +601,9 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}"
 # unzipping the image layers to disk.
 export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}"
 
+# Enable Windows DSR (Direct Server Return)
+export WINDOWS_ENABLE_DSR="${WINDOWS_ENABLE_DSR:-false}"
+
 # TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver.
 # If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites.
 export TLS_CIPHER_SUITES=""

cluster/gce/util.sh

@@ -944,6 +944,13 @@ function construct-windows-kubeproxy-flags {
   # so we actually log to the file
   flags+=" --logtostderr=false"
 
+  # Enabling Windows DSR mode unlocks newer network features and reduces
+  # port usage for services.
+  # https://techcommunity.microsoft.com/t5/networking-blog/direct-server-return-dsr-in-a-nutshell/ba-p/693710
+  if [[ "${WINDOWS_ENABLE_DSR:-}" == "true" ]]; then
+    flags+=" --feature-gates=WinDSR=true --enable-dsr=true "
+  fi
+
   # Configure flags with explicit empty string values. We can't escape
   # double-quotes, because they still break sc.exe after expansion in the
   # binPath parameter, and single-quotes get parsed as characters instead