diff --git a/tripleoclient/tests/v1/undercloud/test_config.py b/tripleoclient/tests/v1/undercloud/test_config.py
index 5ec75ee4e..e69ba91c2 100644
--- a/tripleoclient/tests/v1/undercloud/test_config.py
+++ b/tripleoclient/tests/v1/undercloud/test_config.py
@@ -121,9 +121,9 @@ class TestProcessDriversAndHardwareTypes(base.TestCase):
         }, env)
 
 
-class TestNetworkSettings(base.TestCase):
+class TestBaseNetworkSettings(base.TestCase):
     def setUp(self):
-        super(TestNetworkSettings, self).setUp()
+        super(TestBaseNetworkSettings, self).setUp()
         self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
         # don't actually load config from ~/undercloud.conf
         self.mock_config_load = self.useFixture(
@@ -160,6 +160,8 @@ class TestNetworkSettings(base.TestCase):
                          dns_nameservers=[],
                          group='ctlplane-subnet')
 
+
+class TestNetworkSettings(TestBaseNetworkSettings):
     def test_default(self):
         env = {}
         undercloud_config._process_network_args(env)
@@ -895,6 +897,16 @@ class TestNetworkSettings(base.TestCase):
                           undercloud_config._generate_inspection_subnets)
 
 
+class TestChronySettings(TestBaseNetworkSettings):
+    def test_default(self):
+        env = {}
+        undercloud_config._process_chrony_acls(env)
+        expected = {
+            'ChronyAclRules': ['allow 192.168.24.0/24'],
+        }
+        self.assertEqual(expected, env)
+
+
 class TestTLSSettings(base.TestCase):
     def test_public_host_with_ip_should_give_ip_endpoint_environment(self):
         expected_env_file = os.path.join(
diff --git a/tripleoclient/v1/undercloud_config.py b/tripleoclient/v1/undercloud_config.py
index 3d94893cd..0170a6d26 100644
--- a/tripleoclient/v1/undercloud_config.py
+++ b/tripleoclient/v1/undercloud_config.py
@@ -401,6 +401,15 @@ def _process_network_args(env):
             raise exceptions.InvalidConfiguration(msg)
 
 
+def _process_chrony_acls(env):
+    """Populate ACL rules for chrony to allow ctlplane subnets"""
+    acl_rules = []
+    for subnet in CONF.subnets:
+        s = CONF.get(subnet)
+        acl_rules.append('allow ' + s.get('cidr'))
+    env['ChronyAclRules'] = acl_rules
+
+
 def prepare_undercloud_deploy(upgrade=False, no_validations=True,
                               verbose_level=1, yes=False,
                               force_stack_update=False, dry_run=False,
@@ -448,6 +457,9 @@ def prepare_undercloud_deploy(upgrade=False, no_validations=True,
     # Set up parameters for undercloud networking
     _process_network_args(env_data)
 
+    # Setup parameter for Chrony ACL rules
+    _process_chrony_acls(env_data)
+
     # Parse the undercloud.conf options to include necessary args and
     # yaml files for undercloud deploy command