diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 56877f10417..d1f447140cd 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -560,6 +560,9 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}" # unzipping the image layers to disk. export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}" +# Enable Windows DSR (Direct Server Return) +export WINDOWS_ENABLE_DSR="${WINDOWS_ENABLE_DSR:-false}" + # TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver. # If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites. export TLS_CIPHER_SUITES="" diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 4b35d7e8224..81a5a9d80be 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -601,6 +601,9 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}" # unzipping the image layers to disk. export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}" +# Enable Windows DSR (Direct Server Return) +export WINDOWS_ENABLE_DSR="${WINDOWS_ENABLE_DSR:-false}" + # TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver. # If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites. export TLS_CIPHER_SUITES="" diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 9ab900993ae..4c1829233da 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -944,6 +944,13 @@ function construct-windows-kubeproxy-flags { # so we actually log to the file flags+=" --logtostderr=false" + # Enabling Windows DSR mode unlocks newer network features and reduces + # port usage for services. + # https://techcommunity.microsoft.com/t5/networking-blog/direct-server-return-dsr-in-a-nutshell/ba-p/693710 + if [[ "${WINDOWS_ENABLE_DSR:-}" == "true" ]]; then + flags+=" --feature-gates=WinDSR=true --enable-dsr=true " + fi + # Configure flags with explicit empty string values. We can't escape # double-quotes, because they still break sc.exe after expansion in the # binPath parameter, and single-quotes get parsed as characters instead