diff --git a/ansible/kayobe-ansible-user.yml b/ansible/kayobe-ansible-user.yml
index 85dfb7930..1ef76f82d 100644
--- a/ansible/kayobe-ansible-user.yml
+++ b/ansible/kayobe-ansible-user.yml
@@ -3,6 +3,9 @@
   hosts: seed:overcloud
   vars:
     ansible_user: "{{ bootstrap_user }}"
+    # We can't assume that a virtualenv exists at this point, so use the system
+    # python interpreter.
+    ansible_python_interpreter: /usr/bin/python
   roles:
     - role: singleplatform-eng.users
       users:
diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml
new file mode 100644
index 000000000..262e4ca04
--- /dev/null
+++ b/ansible/kayobe-target-venv.yml
@@ -0,0 +1,52 @@
+---
+# Create a virtualenv for ansible modules to use on the remote target systems
+# when running kayobe.
+
+- name: Ensure a virtualenv exists for kayobe
+  hosts: seed:seed-hypervisor:overcloud
+  gather_facts: False
+  tasks:
+    - name: Set a fact about the kayobe target virtualenv
+      set_fact:
+        virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+      when:
+        - ansible_python_interpreter is defined
+        - not ansible_python_interpreter.startswith('/bin')
+        - not ansible_python_interpreter.startswith('/usr/bin')
+
+    - block:
+        # This will cause ansible to use the system python interpreter.
+        - name: Deactivate the virtualenv
+          include_role:
+            name: deactivate-virtualenv
+
+        - name: Ensure the python-virtualenv package is installed
+          package:
+            name: python-virtualenv
+            state: installed
+          become: True
+
+        - name: Ensure kayobe virtualenv directory exists
+          file:
+            path: "{{ virtualenv }}"
+            state: directory
+            owner: "{{ ansible_user }}"
+            group: "{{ ansible_user }}"
+            mode: 0700
+          become: True
+
+        - name: Ensure kayobe virtualenv has the latest version of pip installed
+          pip:
+            name: pip
+            state: latest
+            virtualenv: "{{ virtualenv }}"
+            # Site packages are required for using the yum and selinux python
+            # modules, which are not available via PyPI.
+            virtualenv_site_packages: True
+
+        - name: Activate the virtualenv
+          include_role:
+            name: activate-virtualenv
+          vars:
+            activate_virtualenv_path: "{{ virtualenv }}"
+      when: virtualenv is defined
diff --git a/ansible/overcloud-docker-sdk-upgrade.yml b/ansible/overcloud-docker-sdk-upgrade.yml
index c52138a86..8ce71f172 100644
--- a/ansible/overcloud-docker-sdk-upgrade.yml
+++ b/ansible/overcloud-docker-sdk-upgrade.yml
@@ -5,14 +5,24 @@
     # Docker renamed their python SDK from docker-py to docker in the 2.0.0
     # release, and also broke backwards compatibility. Kolla-ansible requires
     # docker, so ensure it is installed.
+    - name: Set a fact about the virtualenv on the remote system
+      set_fact:
+        virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+      when:
+        - ansible_python_interpreter is defined
+        - not ansible_python_interpreter.startswith('/bin/')
+        - not ansible_python_interpreter.startswith('/usr/bin/')
+
     - name: Ensure legacy docker-py python package is uninstalled
       pip:
         name: docker-py
         state: absent
-      become: True
+        virtualenv: "{{ virtualenv is defined | ternary(virtualenv, omit) }}"
+      become: "{{ virtualenv is not defined }}"
 
     - name: Ensure docker SDK for python is installed
       pip:
         name: docker
         state: latest
-      become: True
+        virtualenv: "{{ virtualenv is defined | ternary(virtualenv, omit) }}"
+      become: "{{ virtualenv is not defined }}"
diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml
index c79a2d98d..374208632 100644
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@@ -6,6 +6,21 @@
       include 'devicemapper' and 'overlay'.
   when: docker_storage_driver not in ['devicemapper', 'overlay']
 
+- name: Set a fact about the virtualenv on the remote system
+  set_fact:
+    virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+  when:
+    - ansible_python_interpreter is defined
+    - not ansible_python_interpreter.startswith('/bin/')
+    - not ansible_python_interpreter.startswith('/usr/bin/')
+
+- name: Ensure docker SDK for python is installed
+  pip:
+    name: docker
+    state: latest
+    virtualenv: "{{ virtualenv is defined | ternary(virtualenv, omit) }}"
+  become: "{{ virtualenv is not defined }}"
+
 - name: Ensure user is in the docker group
   user:
     name: "{{ ansible_user_id }}"