diff --git a/Makefile b/Makefile
index 04723e65f..2e6346c7f 100644
--- a/Makefile
+++ b/Makefile
@@ -69,8 +69,8 @@ build/.%.done: docker/Dockerfile.%
 		-f build/docker/$*/Dockerfile.$* ./build/docker/$*
 	touch $@
 
-build/.flux.done: build/fluxd build/kubectl docker/ssh_config docker/kubeconfig docker/verify_known_hosts.sh
-build/.helm-operator.done: build/helm-operator build/kubectl build/helm docker/ssh_config docker/verify_known_hosts.sh docker/helm-repositories.yaml
+build/.flux.done: build/fluxd build/kubectl docker/ssh_config docker/kubeconfig docker/known_hosts.sh
+build/.helm-operator.done: build/helm-operator build/kubectl build/helm docker/ssh_config docker/known_hosts.sh docker/helm-repositories.yaml
 
 build/fluxd: $(FLUXD_DEPS)
 build/fluxd: cmd/fluxd/*.go
diff --git a/docker/Dockerfile.flux b/docker/Dockerfile.flux
index 2aa23fcca..4db8bfbce 100644
--- a/docker/Dockerfile.flux
+++ b/docker/Dockerfile.flux
@@ -6,10 +6,9 @@ RUN apk add --no-cache openssh ca-certificates tini 'git>=2.3.0' gnupg
 
 # Add git hosts to known hosts file so we can use
 # StrickHostKeyChecking with git+ssh
-ADD ./verify_known_hosts.sh /home/flux/verify_known_hosts.sh
-RUN ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com >> /etc/ssh/ssh_known_hosts && \
-    sh /home/flux/verify_known_hosts.sh /etc/ssh/ssh_known_hosts && \
-    rm /home/flux/verify_known_hosts.sh
+ADD ./known_hosts.sh /home/flux/known_hosts.sh
+RUN sh /home/flux/known_hosts.sh /etc/ssh/ssh_known_hosts && \
+    rm /home/flux/known_hosts.sh
 
 # Add default SSH config, which points at the private key we'll mount
 COPY ./ssh_config /etc/ssh/ssh_config
diff --git a/docker/Dockerfile.helm-operator b/docker/Dockerfile.helm-operator
index cf3dd0c2d..fca75fc0a 100644
--- a/docker/Dockerfile.helm-operator
+++ b/docker/Dockerfile.helm-operator
@@ -6,10 +6,9 @@ RUN apk add --no-cache openssh ca-certificates tini 'git>=2.3.0'
 
 # Add git hosts to known hosts file so we can use
 # StrickHostKeyChecking with git+ssh
-ADD ./verify_known_hosts.sh /home/flux/verify_known_hosts.sh
-RUN ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com >> /etc/ssh/ssh_known_hosts && \
-    sh /home/flux/verify_known_hosts.sh /etc/ssh/ssh_known_hosts && \
-    rm /home/flux/verify_known_hosts.sh
+ADD ./known_hosts.sh /home/flux/known_hosts.sh
+RUN sh /home/flux/known_hosts.sh /etc/ssh/ssh_known_hosts && \
+    rm /home/flux/known_hosts.sh
 
 # Add default SSH config, which points at the private key we'll mount
 COPY ./ssh_config /etc/ssh/ssh_config
diff --git a/docker/verify_known_hosts.sh b/docker/known_hosts.sh
similarity index 79%
rename from docker/verify_known_hosts.sh
rename to docker/known_hosts.sh
index e5bbbef45..379f6a9d3 100755
--- a/docker/verify_known_hosts.sh
+++ b/docker/known_hosts.sh
@@ -4,6 +4,7 @@ set -eu
 
 known_hosts_file=${1}
 known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts}
+hosts="github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com"
 
 # The heredoc below was generated by constructing a known_hosts using
 #
@@ -28,6 +29,12 @@ trap cleanup EXIT
 
 # make sure sorting is in the same locale as the heredoc
 export LC_ALL=C
+
+generate() {
+    ssh-keyscan ${hosts} > ${known_hosts_file}
+}
+
+validate() {
 ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints"
 
 diff - "$fingerprints" <<EOF
@@ -39,3 +46,19 @@ diff - "$fingerprints" <<EOF
 256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
 256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
 EOF
+
+}
+
+retries=10
+count=0
+ok=false
+wait=2
+until ${ok}; do
+    generate && validate && ok=true || ok=false
+    count=$(($count + 1))
+    if [[ ${count} -eq ${retries} ]]; then
+        echo "ssh-keyscan failed, no more retries left"
+        exit 1
+    fi
+    sleep ${wait}
+done