Even though I’ve registered my known host according to the documentation, Okteto keeps returning errors saying that the host is not found. I’ve double-checked that the hostname and key are correctly added, but the issue persists.
Additionally, when I try to use ssh-keyscan (as suggested in the docs) to retrieve the host key, it doesn’t seem to work correctly inside my Okteto environment — it either times out or returns an empty response.
Has anyone else experienced this behavior?
Is there something I might be missing in the configuration or in how Okteto validates known hosts?
Any help or clarification from the Okteto team would be greatly appreciated.
Thanks in advance!
Some logs: ssh-keyscan failed after 8 attempts: failed to retrieve the SSH keys from "gitlab.ourdomain.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.ourdomain.com": exit status 1error in FinishPipeline: Post "https://okteto.dev.ourdomain.com/graphql": read tcp 10.255.222.9:57900->172.20.237.72:443: read: connection reset by peer
Hey @marticardus , based on the error messages, it doesn’t seem like the error is related to KNOWN_HOSTS but instead to network access between Okteto and Gitlab.
Can you verify that Okteto is able to resolve the DNS and reach out to your Gitlab instance. Other users in the past have had to explicitly open the HTTPS and/or SSH ports on their firewall and gitlab configurations for this to work.
I found this on some pods: (buildkit, registry, installer)
/ # cat /etc/hosts
172.20.237.72 okteto.dev.ourdomain. com
172.20.237.72 registry.dev.ourdomain. com
This causes the error (error in FinishPipeline: Post “https:// oktetodev.ourdomain com/graphql”: read tcp 10.255.222.9:57900->172.20.237.72:443: read: connection reset by peer), because is it the internal address of the ingress-nginx service with proxy protocol enabled, if I remove these entries, the service responds correctly.
But I think this were another problem that i need to resolve, maybe in another thread?
The current problem, as I understand it, is that despite having the “Known hosts” configured, it is doing a scan, when it should directly clone the repository.
Successfully assigned okteto/installer-c8f3fca8-af41-4464-b843-a164bcb15ac4-4hq57 to ip-10-255-199-115.eu-west-3.compute.internalCreated pod: installer-c8f3fca8-af41-4464-b843-a164bcb15ac4-4hq57Container image "okteto/okteto:3.12.0" already present on machineCreated container: setupStarted container setupContainer image "okteto/pipeline-runner:1.37.1" already present on machineCreated container: installerStarted container installerDeploying Dev Environmentinitialized kubernetes client with InClusterConfigssh-keyscan operation failed (attempt 1/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 1s (attempt 2/8)ssh-keyscan operation failed (attempt 2/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 2s (attempt 3/8)ssh-keyscan operation failed (attempt 3/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 4s (attempt 4/8)ssh-keyscan operation failed (attempt 4/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 8s (attempt 5/8)ssh-keyscan operation failed (attempt 5/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 16s (attempt 6/8)ssh-keyscan operation failed (attempt 6/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 32s (attempt 7/8)ssh-keyscan operation failed (attempt 7/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 1m4s (attempt 8/8)Retrying ssh-keyscan operation in 32s (attempt 7/8)ssh-keyscan operation failed (attempt 7/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 1m4s (attempt 8/8)ssh-keyscan operation failed after 8 attemptsssh-keyscan failed after 8 attempts: failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1error in FinishPipeline: Post "https://okteto.dev.<domain>.com/graphql": read tcp 10.255.222.2:53222->172.20.237.72:443: read: connection reset by peerDeploying Dev Environmentinitialized kubernetes client with InClusterConfigssh-keyscan operation failed (attempt 1/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 1s (attempt 2/8)ssh-keyscan operation failed (attempt 2/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 2s (attempt 3/8)ssh-keyscan operation failed (attempt 3/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 4s (attempt 4/8)ssh-keyscan operation failed (attempt 4/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 8s (attempt 5/8)ssh-keyscan operation failed (attempt 5/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 16s (attempt 6/8)ssh-keyscan operation failed (attempt 6/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 32s (attempt 7/8)ssh-keyscan operation failed (attempt 7/8): failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1Retrying ssh-keyscan operation in 1m4s (attempt 8/8)ssh-keyscan operation failed after 8 attemptsssh-keyscan failed after 8 attempts: failed to retrieve the SSH keys from "gitlab.<domain>.com", please review that the hostname is correct, and that your network configuration permits traffic between Okteto and "gitlab.<domain>.com": exit status 1error in FinishPipeline: Post "https://okteto.dev.<domain>.com/graphql": read tcp 10.255.222.9:40228->172.20.237.72:443: read: connection reset by peer
Hi Martí,
We’ve identified an issue in the known hosts implementation where the ssh-keyscan command was being executed during deployment even when the known hosts file was already enabled, this shouldn’t have happened. The unnecessary execution of ssh-keyscan caused the deployment to fail. This behavior has been fixed and available in chart release 1.37.2.
In your case, the ssh-keyscan failure appears to be caused by a connection issue. Since ssh-keyscan will no longer run in the new version, any connection problems might now appear during the repository clone step instead. Although the fix prevents the ssh-keyscan issue, the underlying connectivity problem might still affect the cloning process.
After upgrading to the new release, please:
Check if the connection problem persists.
Verify your network configuration, particularly:
• That the target host is reachable from the deployment environment.
• DNS resolution for the Git server works as expected.
• Firewall or proxy rules are not blocking outbound SSH traffic.
• The correct SSH port (usually 22) is open and accessible.
Let us know if the issue continues after upgrading, we’ll be happy to help troubleshoot further.
okteto cli version: v3.12.0
executing ‘okteto context’…
x Internal server error, please try again
exit status 1
error in FinishPipeline: Post “https:// okteto.dev.ourdomain .com/graphql”: read tcp 10.255.222.10:35642->172.20.237.72:443: read: connection reset by peer
As you can see, it’s trying to connect to the internal ingress service, but it fails because it expects a Proxy-type connection, while only a standard HTTP request is being sent — that’s why the connection doesn’t work.
The SSH Known Hosts bug has been fixed in Okteto, and the connectivity problem was solved by configuring the official Okteto ingresses as ClusterIP services behind my main ingress controller.
Everything is now working as expected. Thanks to the Okteto team for the quick fix!
