Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions src/content/reference/known-issues.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,22 @@ Set-ItemProperty HKCU:\Console VirtualTerminalLevel -Type DWORD 1
```

This [stackoverflow answer](https://stackoverflow.com/questions/51680709/colored-text-output-in-powershell-console-using-ansi-vt100-codes) has more information on this topic.

## Pulling an image fails with an `EOF` error

Image pulls run on the Kubernetes node, not on your machine, so a pull can fail for any pod the cluster schedules. During `okteto up`, the failure surfaces as a Development Container that won't activate:

```console
couldn't activate your development container
Failed to pull image "node:25-alpine3.22": failed to pull and unpack image "docker.io/library/node:25-alpine3.22": failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://production.cloudfront.docker.com/...": EOF
```

The `EOF` means the connection to the host in the error closed before the image layer finished downloading. The usual cause is an egress policy on the cluster — a firewall, proxy, or domain allowlist — that doesn't permit that host. Registries commonly serve manifests from one host and redirect layer downloads to a separate CDN or storage host, and those hosts change over time, so an allowlist scoped to the registry alone starts failing on layer downloads while the manifest still resolves.

Docker Hub is the most common case. It serves manifests from `registry-1.docker.io` (after authenticating against `auth.docker.io`) and redirects layers to a CDN host. Docker added the CDN domain `production.cloudfront.docker.com` in May 2026, so allowlists that only covered the registry and an older CDN began failing with this error.

To resolve it:

1. Allow egress from your cluster to your registry's hosts over HTTPS, including the CDN or storage host it redirects layer downloads to. Because these hosts can change, prefer wildcards where your firewall supports them. For Docker Hub, allow `*.docker.io` and `*.docker.com`; Docker's [allowlist reference](https://docs.docker.com/desktop/setup/allow-list/) lists the current hosts, including `registry-1.docker.io`, `auth.docker.io`, and `production.cloudfront.docker.com`.
2. If a TLS-inspecting proxy sits in front of the cluster, trust the certificate authority that signs the registry and CDN hosts. Docker Hub's CloudFront CDN uses Amazon Trust Services, for example, so its certificates fail validation when your trust store only includes a previous CA.
3. Mirror the image in the [Okteto Registry](core/container-registry.mdx) or another registry your cluster can reach, and reference it with the [`image`](reference/okteto-manifest.mdx#image-string-optional) field in your Okteto Manifest.