88. Fleet SSH GitRepo 连接在 Rancher 升级后因未知主机密钥而失败

Environment 环境Rancher v2.12, Fleet v0.13牧场主 v2.12舰队 v0.13Situation 地理位置After upgrading Rancher to v2.12, connections to SSH-based Git repositories fail with an error as below在将 Rancher 升级到 v2.12 后连接到基于 SSH 的 Git 仓库时会出现如下错误span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodessh: handshake failed: knownhosts: key is unknown OR Ssh: handshake failed: knownhosts: key is unknown:failed to clone repo from branch repogit... branchmain revision path/workspace: ssh: handshake failed: knownhosts: key is unknown/code/span/span/spanResolution 结局1. Add the SSH host key fingerprint of the Git repository to the known_hosts field of each secret in the Git repository configuration. This is the recommended solution.1. 将 Git 仓库的 SSH 主机密钥指纹添加到 Git 仓库配置中每个秘密的“known_hosts”字段。这是推荐的解决方案。span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl create secret generic customkey -n fleet-default --from-filessh-privatekeyprivate_key --from-fileknown_hostsknown_hosts --typea>2. When you dont specify an individual secret for gitrepo and you rely on gitcredential secret, known_host must be added in that secret, located in either the fleet-default or fleet-local namespace, depending on where the gitrepo is added.2. 当你没有为 gitrepo 指定单个秘密而是依赖“gitcredential”秘密时known_host 必须在该秘密中添加该秘密位于舰队默认或舰队本地命名空间具体取决于 gitrepo 的添加地点。span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl create secret generic gitcredential -n fleet-local --from-filessh-privatekeyprivate_key --from-fileknown_hostsknown_hosts --typea>3. Alternatively, add the private repositorys host key fingerprint manually to the known-hosts configmap after backing up the existing configmap. This is not a recommended solution3. 或者在备份现有配置图后手动将私有仓库的主机密钥指纹添加到“已知主机”配置图中。这不是推荐的解决方案span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl -n cattle-fleet-system get cm known-hosts -o yaml known-hosts.yaml kubectl -n cattle-fleet-system edit cm known-hosts/code/span/span/spanNote: Host key fingerprints are already added for popular cloud-based Git repositories like GitHub, Bitbucket etc.注意主机密钥指纹已经为像 GitHub、Bitbucket 这样的主流云端 Git 仓库添加了。Cause 病因The issue is caused by a security enhancement in Fleet v0.13, which enforces SSH host key verification. This change requires users to explicitly trust the host key of their Git repositories, preventing potential man-in-the-middle attacks.问题源于 Fleet v0.13 中的安全增强该增强要求 SSH 主机密钥验证。这一变化要求用户明确信任其 Git 仓库的主机密钥防止潜在的中间人攻击。访问Rancher-K8S解决方案博主企业合作伙伴 https://blog.csdn.net/lidw2009