diff --git a/CHANGES.rst b/CHANGES.rst
index ea0305d0..f492c4be 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -14,6 +14,8 @@ Unreleased
 
 * Added the Prometheus annotations to ``grandCentral`` to allow metrics scrapping on it.
 
+* Restricted system user login to 10.0.0.0/8
+
 
 2.33.0 (2023-11-14)
 -------------------
diff --git a/crate/operator/config.py b/crate/operator/config.py
index 5bb1d216..325517bb 100644
--- a/crate/operator/config.py
+++ b/crate/operator/config.py
@@ -158,6 +158,9 @@ class Config:
     #: backup when restoring a snapshot.
     RESTORE_BACKUP_SECRET_NAME = "restore-from-backup-{name}"
 
+    #: CIDR the system user is allowed to login from.
+    ALLOWED_SYSTEM_USER_CIDR = "10.0.0.0/8"
+
     def __init__(self, *, prefix: str):
         self._prefix = prefix
 
diff --git a/crate/operator/create.py b/crate/operator/create.py
index 786f8e48..7a12929f 100644
--- a/crate/operator/create.py
+++ b/crate/operator/create.py
@@ -420,6 +420,8 @@ def get_statefulset_crate_command(
         "-Cauth.host_based.config.0.user": "crate",
         "-Cauth.host_based.config.0.address": "_local_",
         "-Cauth.host_based.config.0.method": "trust",
+        "-Cauth.host_based.config.1.user": "system",
+        "-Cauth.host_based.config.1.address": config.ALLOWED_SYSTEM_USER_CIDR,
         "-Cauth.host_based.config.99.method": "password",
         "-Cpath.data": ",".join(
             f"/data/data{i}" for i in range(node_spec["resources"]["disk"]["count"])
diff --git a/crate/operator/handlers/handle_update_cratedb.py b/crate/operator/handlers/handle_update_cratedb.py
index 3d45f1ea..f5985ae8 100644
--- a/crate/operator/handlers/handle_update_cratedb.py
+++ b/crate/operator/handlers/handle_update_cratedb.py
@@ -118,6 +118,8 @@ async def update_cratedb(
             do_restart = True
         elif field_path == ("spec", "nodes", "master", "replicas"):
             do_scale = True
+        elif field_path == ("spec", "allowedSystemUserCIDR"):
+            do_restart = True
         elif field_path == ("spec", "nodes", "data"):
             for node_spec_idx in range(len(old_spec)):
                 old_spec = old_spec[node_spec_idx]
diff --git a/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml b/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml
index 575073b9..c7277d1b 100644
--- a/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml
+++ b/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml
@@ -173,6 +173,9 @@ spec:
                     items:
                       type: string
                     type: array
+                  allowedSystemUserCIDR:
+                    description: Limit system User to specific subnet
+                    type: string
                   externalDNS:
                     description: The external DNS name record that should point to
                       the CrateDB cluster.