diff --git a/releasenotes/notes/blacklisted_ips_support-f362e008ae1af210.yaml b/releasenotes/notes/blacklisted_ips_support-f362e008ae1af210.yaml
new file mode 100644
index 000000000..bd1146548
--- /dev/null
+++ b/releasenotes/notes/blacklisted_ips_support-f362e008ae1af210.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The `enable_ssh_admin` workflow is now always expecting a list of
+    servers to operate on, passed via `ssh_servers` input which is
+    left empty when unset.
\ No newline at end of file
diff --git a/workbooks/access.yaml b/workbooks/access.yaml
index 30e0c4031..786fbc46e 100644
--- a/workbooks/access.yaml
+++ b/workbooks/access.yaml
@@ -73,6 +73,7 @@ workflows:
         workflow: tripleo.access.v1.create_admin_via_nova
         input:
           queue_name: <% $.queue_name %>
+          ssh_servers: <% $.ssh_servers %>
           tasks: <% $.create_admin_tasks %>
           overcloud_admin: <% $.overcloud_admin %>
 
@@ -89,6 +90,7 @@ workflows:
     input:
       - tasks
       - queue_name: tripleo
+      - ssh_servers: []
       - overcloud_admin: tripleo-admin
       - ansible_extra_env_variables:
             ANSIBLE_HOST_KEY_CHECKING: 'False'
@@ -99,7 +101,7 @@ workflows:
         action: nova.servers_list
         on-success: create_admin
         publish:
-          servers: <% task().result._info %>
+          servers: <% let(root => $) -> task().result._info.where($.addresses.ctlplane.addr.any($ in $root.ssh_servers)) %>
 
       create_admin:
         workflow: tripleo.deployment.v1.deploy_on_server
@@ -127,7 +129,7 @@ workflows:
         input:
           inventory:
             overcloud:
-              hosts: <% $.servers.addresses.ctlplane.addr.flatten().toDict($, {}) %>
+              hosts: <% $.ssh_servers.toDict($, {}) %>
           remote_user: <% $.overcloud_admin %>
           ssh_private_key: <% $.privkey %>
           extra_env_variables: <% $.ansible_extra_env_variables %>
diff --git a/workbooks/ceph-ansible.yaml b/workbooks/ceph-ansible.yaml
index e68f2aafd..b979311db 100644
--- a/workbooks/ceph-ansible.yaml
+++ b/workbooks/ceph-ansible.yaml
@@ -32,30 +32,36 @@ workflows:
           hieradata: <% env().get('role_merged_configs', {}).values().select($.keys()).flatten().select(regex('^ceph::profile::params::osds$').search($)).where($ != null).toSet() %>
       check_hieradata:
         on-success:
-        - enable_ssh_admin: <% not bool($.hieradata) %>
+        - set_blacklisted_ips: <% not bool($.hieradata) %>
         - fail(msg=<% 'Ceph deployment stopped, puppet-ceph hieradata found. Convert it into ceph-ansible variables. {0}'.format($.hieradata) %>): <% bool($.hieradata) %>
+      set_blacklisted_ips:
+        publish:
+          blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
+        on-success: set_ip_lists
+      set_ip_lists:
+        publish:
+          mgr_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          mon_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          osd_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          mds_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          rgw_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          nfs_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          rbdmirror_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          client_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+        on-success: merge_ip_lists
+      merge_ip_lists:
+        publish:
+          ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
+        on-success: enable_ssh_admin
       enable_ssh_admin:
         workflow: tripleo.access.v1.enable_ssh_admin
+        input:
+          ssh_servers: <% $.ips_list %>
         on-success: get_private_key
       get_private_key:
         action: tripleo.validations.get_privkey
         publish:
           private_key: <% task().result %>
-        on-success: set_ip_lists
-      set_ip_lists:
-        publish:
-          mgr_ips: <% env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []) %>
-          mon_ips: <% env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []) %>
-          osd_ips: <% env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []) %>
-          mds_ips: <% env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []) %>
-          rgw_ips: <% env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []) %>
-          nfs_ips: <% env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []) %>
-          rbdmirror_ips: <% env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []) %>
-          client_ips: <% env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []) %>
-        on-success: merge_ip_lists
-      merge_ip_lists:
-        publish:
-          ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
         on-success: make_fetch_directory
       make_fetch_directory:
         action: tripleo.files.make_temp_dir
diff --git a/workbooks/skydive-ansible.yaml b/workbooks/skydive-ansible.yaml
index ba5307b77..32d12c765 100644
--- a/workbooks/skydive-ansible.yaml
+++ b/workbooks/skydive-ansible.yaml
@@ -18,18 +18,24 @@ workflows:
     tags:
       - tripleo-common-managed
     tasks:
+      set_blacklisted_ips:
+        publish:
+          blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
+        on-success: set_ip_lists
+      set_ip_lists:
+        publish:
+          agent_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          analyzer_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+        on-success: enable_ssh_admin
       enable_ssh_admin:
         workflow: tripleo.access.v1.enable_ssh_admin
+        input:
+          ssh_servers: <% ($.agent_ips + $.analyzer_ips).toSet() %>
         on-success: get_private_key
       get_private_key:
         action: tripleo.validations.get_privkey
         publish:
           private_key: <% task().result %>
-        on-success: set_ip_lists
-      set_ip_lists:
-        publish:
-          agent_ips: <% env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []) %>
-          analyzer_ips: <% env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []) %>
         on-success: set_fork_count
       set_fork_count:
         publish: # unique list of all IPs: make each list a set, take unions and count