diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8214f3b280ff839bbd3ed953395be6966f984104..d7fc79982d9e1ec55e575211086081f9fa3d6972 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## Unreleased
+
+### Changed
+- if ncsa_security, disable snap
+- if ncsa_security, limit ssh hosts to ncsa only
+
 ## 3.2.0 - 2024-08-04
 
 This allows to create a cluster that is RKE2 or K3S as well as RKE1. RKE1 is deprecated and will stop to be supported on July 31st, 2025. If you want to use either RKE2 or K3S you will need to change the `network_plugin`.
diff --git a/terraform/modules/cluster/nodes.tf b/terraform/modules/cluster/nodes.tf
index 94e56d0b36cc2e3a7421a9e5b3c2c02e5a86f2a3..2de8b27eafd3d14892681984984a6fe5857432b3 100644
--- a/terraform/modules/cluster/nodes.tf
+++ b/terraform/modules/cluster/nodes.tf
@@ -65,7 +65,8 @@ resource "openstack_compute_instance_v2" "machine" {
     node_options   = lookup(local.node_options, each.value.role, "--worker")
     node_labels    = join(" ", [for l in each.value.labels : format("-l %s", replace(l, " ", "_"))])
     ncsa_security  = var.ncsa_security
-    taiga_enabled  = var.taiga_enabled
+    taiga_enabled  = var.taiga_enabled 
+    network_cidr   = var.network_cidr
     install_docker = local.rke1 && var.install_docker
   }))
 
diff --git a/terraform/modules/cluster/templates/user_data.tmpl b/terraform/modules/cluster/templates/user_data.tmpl
index 185c3442255c303c148aa33fc8a7ebafa702f2ba..5b48ca5878b13216922ad97f1e51a0b2945f511a 100644
--- a/terraform/modules/cluster/templates/user_data.tmpl
+++ b/terraform/modules/cluster/templates/user_data.tmpl
@@ -12,10 +12,6 @@ package_upgrade: true
 # install some packages
 packages:
   - chrony
-%{ if username == "centos" }
-  - iscsi-initiator-utils
-  - nfs-utils
-%{ endif }
 %{ if username == "ubuntu" }
   - open-iscsi
   - nfs-common
@@ -61,6 +57,11 @@ write_files:
            PubkeyAuthentication yes
            AuthorizedKeysFile .ssh/authorized_keys
            AuthenticationMethods publickey
+    # Allow cluster network
+    Match Address "${network_cidr}"
+           PubkeyAuthentication yes
+           AuthorizedKeysFile .ssh/authorized_keys
+           AuthenticationMethods publickey
 
     # Qualys Scanner
     Match User qualys
@@ -118,6 +119,17 @@ write_files:
     net.ipv6.conf.all.disable_ipv6 = 1
     net.ipv6.conf.default.disable_ipv6 = 1
 %{ endif }
+%{ if ncsa_security }
+%{ if username == "ubuntu" }
+- path: /etc/apt/preferences.d/nosnap.pref
+  permissions: "0644"
+  owner: root:root
+  content: |
+    Package: snapd
+    Pin: release a=*
+    Pin-Priority: -1
+%{ endif }
+%{ endif }
 %{ if username == "ubuntu" }
 - path: /etc/sysctl.d/50-increase-inotify.conf
   permissions: "0644"
@@ -156,6 +168,11 @@ write_files:
     # clean up default pool sources if we are using ncsa security
     sed -i 's/^pool/# pool/' /etc/chrony/chrony.conf
     systemctl restart chronyd
+    # remove snap
+    snap remove --purge lxd
+    snap remove --purge core20
+    snap remove --purge snapd
+    apt-get purge --auto-remove -y snapd
 %{ endif }
 %{ endif }
 %{ if username == "ubuntu" }