I had a chance to talk with AWS EKS Engineer in person. The official answer is that current EKS doesn't support 172.17.0.0/16 due to cidr overlapping with Docker's IP.It seems they have internal ticket to fix the issue, but no ETA.

I have exactly same issue with private ip 172.17.X.X

Error from server: Get https://172.17.X.X:10250/containerLogs/******: dial tcp 
172.17.X.X:10250: getsockopt: no route to host

I am using EKS-Optimized AMI v24.

Similar issue is discussed in here. https://github.com/aws/amazon-vpc-cni-k8s/issues/137. I wonder private ip starts with 172.17.X.X is the issue as it collides with Docker's default internal cidr, but I didn't have this issue when I was using kops.

Depending on the AMI, I get the error "getsockopt: no route to host".

I use "kubectl logs my-pod-id" to access the pod's logs.

• I am running EKS V1.10, in AWS (yes I need to upgrade to V1.11 soon).
• I am using an IP range 10.0.0.0 for my vpc and subnets. And I have 2 public and 2 private subnets.

It works (and also does not work), with the EXACT same routing, security groups, vpc, etc. Just the AMI change.

Works: ami-73a6e20b (Used when I first setup my cluster back in Oct 2018)

Does not work: ami-0e7ee8863c8536cce (and is the recommended Amazon EKS-optimized AMI as of today for us-west-2 Oregon - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html)

My point is, it may not be your routing/security-group setup.