diff --git a/ansible/baremetal-compute-inspect.yml b/ansible/baremetal-compute-inspect.yml
index f2a499020..8b356c17a 100644
--- a/ansible/baremetal-compute-inspect.yml
+++ b/ansible/baremetal-compute-inspect.yml
@@ -14,6 +14,7 @@
   roles:
     - role: stackhpc.os-shade
       os_shade_venv: "{{ venv }}"
+      os_shade_install_epel: "{{ yum_install_epel }}"
 
     - role: activate-virtualenv
       activate_virtualenv_path: "{{ venv }}"
diff --git a/ansible/baremetal-compute-manage.yml b/ansible/baremetal-compute-manage.yml
index a017ba4e3..326840171 100644
--- a/ansible/baremetal-compute-manage.yml
+++ b/ansible/baremetal-compute-manage.yml
@@ -14,6 +14,7 @@
   roles:
     - role: stackhpc.os-shade
       os_shade_venv: "{{ venv }}"
+      os_shade_install_epel: "{{ yum_install_epel }}"
 
     - role: activate-virtualenv
       activate_virtualenv_path: "{{ venv }}"
diff --git a/ansible/baremetal-compute-provide.yml b/ansible/baremetal-compute-provide.yml
index 6ada8c666..2d578e0f2 100644
--- a/ansible/baremetal-compute-provide.yml
+++ b/ansible/baremetal-compute-provide.yml
@@ -14,6 +14,7 @@
   roles:
     - role: stackhpc.os-shade
       os_shade_venv: "{{ venv }}"
+      os_shade_install_epel: "{{ yum_install_epel }}"
 
     - role: activate-virtualenv
       activate_virtualenv_path: "{{ venv }}"
diff --git a/ansible/compute-node-flavors.yml b/ansible/compute-node-flavors.yml
index 9f13d2dcd..304610683 100644
--- a/ansible/compute-node-flavors.yml
+++ b/ansible/compute-node-flavors.yml
@@ -12,6 +12,7 @@
   roles:
     - role: stackhpc.os-openstackclient
       os_openstackclient_venv: "{{ venv }}"
+      os_openstackclient_install_epel: "{{ yum_install_epel }}"
 
   tasks:
     - name: Get a list of ironic nodes
@@ -85,3 +86,4 @@
         os_flavors_venv: "{{ venv }}"
         os_flavors_auth_type: "{{ openstack_auth_type }}"
         os_flavors_auth: "{{ openstack_auth }}"
+        os_shade_install_epel: "{{ yum_install_epel }}"
diff --git a/ansible/external-net.yml b/ansible/external-net.yml
index ca0b4cf3c..e3ba15874 100644
--- a/ansible/external-net.yml
+++ b/ansible/external-net.yml
@@ -4,6 +4,7 @@
   hosts: controllers[0]
   roles:
     - role: stackhpc.os-networks
+      os_shade_install_epel: "{{ yum_install_epel }}"
       os_networks_venv: "{{ virtualenv_path }}/shade"
       os_networks_openstack_auth_type: "{{ openstack_auth_type }}"
       os_networks_openstack_auth: "{{ openstack_auth }}"
diff --git a/ansible/group_vars/all/yum b/ansible/group_vars/all/yum
index c600eaf28..0faa506a8 100644
--- a/ansible/group_vars/all/yum
+++ b/ansible/group_vars/all/yum
@@ -1,3 +1,8 @@
 ---
 
+# Whether or not to use a local Yum mirror.
 yum_use_local_mirror: false
+
+# Whether to install the epel-release package. This affects RedHat-based
+# systems only.
+yum_install_epel: true
diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml
index 56343ca43..4b355d94b 100644
--- a/ansible/kolla-ansible.yml
+++ b/ansible/kolla-ansible.yml
@@ -222,6 +222,7 @@
 
   roles:
     - role: kolla-ansible
+      kolla_ansible_install_epel: "{{ yum_install_epel }}"
       kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
       kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
       # NOTE: This differs from the default SELinux mode in kolla ansible,
diff --git a/ansible/kolla-build.yml b/ansible/kolla-build.yml
index 0f478435d..8b94307b2 100644
--- a/ansible/kolla-build.yml
+++ b/ansible/kolla-build.yml
@@ -5,5 +5,6 @@
     - kolla-build
   roles:
     - role: kolla
+      kolla_install_epel: "{{ yum_install_epel }}"
     - role: kolla-build
       kolla_build_extra_config_path: "{{ kayobe_config_path }}/kolla/kolla-build.conf"
diff --git a/ansible/overcloud-grafana-configure.yml b/ansible/overcloud-grafana-configure.yml
index a13f273d3..efdb9a4f8 100644
--- a/ansible/overcloud-grafana-configure.yml
+++ b/ansible/overcloud-grafana-configure.yml
@@ -18,6 +18,7 @@
   roles:
     - role: stackhpc.os-openstackclient
       os_openstackclient_venv: "{{ venv }}"
+      os_openstackclient_install_epel: "{{ yum_install_epel }}"
       when: kolla_enable_monasca | bool
 
   tasks:
diff --git a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
index 21bbcc967..bc2205bf3 100644
--- a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
+++ b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
@@ -116,6 +116,7 @@
 
   roles:
     - role: ironic-inspector-rules
+      os_shade_install_epel: "{{ yum_install_epel }}"
       ironic_inspector_venv: "{{ virtualenv_path }}/shade"
       ironic_inspector_auth_type: "{{ openstack_auth_type }}"
       ironic_inspector_auth: "{{ openstack_auth }}"
diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml
index b18e50823..4b9626194 100644
--- a/ansible/overcloud-introspection-rules.yml
+++ b/ansible/overcloud-introspection-rules.yml
@@ -35,6 +35,7 @@
         name: stackhpc.os-openstackclient
       vars:
         os_openstackclient_venv: "{{ venv }}"
+        os_openstackclient_install_epel: "{{ yum_install_epel }}"
 
     - name: Retrieve the IPA kernel Glance image UUID
       shell: >
@@ -54,6 +55,7 @@
 
   roles:
     - role: ironic-inspector-rules
+      os_shade_install_epel: "{{ yum_install_epel }}"
       ironic_inspector_venv: "{{ venv }}"
       ironic_inspector_auth_type: "{{ openstack_auth_type }}"
       ironic_inspector_auth: "{{ openstack_auth }}"
diff --git a/ansible/overcloud-ipa-images.yml b/ansible/overcloud-ipa-images.yml
index e80595c97..7808939a0 100644
--- a/ansible/overcloud-ipa-images.yml
+++ b/ansible/overcloud-ipa-images.yml
@@ -95,6 +95,7 @@
         - item.src != item.dest
   roles:
     - role: ipa-images
+      os_shade_install_epel: "{{ yum_install_epel }}"
       ipa_images_venv: "{{ virtualenv_path }}/shade"
       ipa_images_openstack_auth_type: "{{ openstack_auth_type }}"
       ipa_images_openstack_auth: "{{ openstack_auth }}"
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index cbd5e5585..3f7e5e320 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -23,6 +23,9 @@ kolla_ansible_target_venv:
 # into the kolla-ansible venv.
 kolla_upper_constraints_file:
 
+# Whether to install the epel-release package.
+kolla_ansible_install_epel: true
+
 # Password to use to encrypt the passwords.yml file.
 kolla_ansible_vault_password:
 
diff --git a/ansible/roles/kolla-ansible/tasks/install.yml b/ansible/roles/kolla-ansible/tasks/install.yml
index 07c2a1c32..a6a2362d7 100644
--- a/ansible/roles/kolla-ansible/tasks/install.yml
+++ b/ansible/roles/kolla-ansible/tasks/install.yml
@@ -7,7 +7,9 @@
     name: epel-release
     state: installed
   become: True
-  when: ansible_os_family == 'RedHat'
+  when:
+    - ansible_os_family == 'RedHat'
+    - kolla_ansible_install_epel | bool
 
 - name: Ensure required packages are installed
   package:
diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 445ed53bd..4e8642b4d 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -398,6 +398,8 @@ grafana_admin_username: "{{ grafana_local_admin_user_name }}"
 selinux_state: {{ kolla_selinux_state }}
 {% endif %}
 
+install_epel: {{ kolla_ansible_install_epel | bool }}
+
 {% if kolla_extra_globals %}
 #######################
 # Extra configuration
diff --git a/ansible/roles/kolla/defaults/main.yml b/ansible/roles/kolla/defaults/main.yml
index 3d6bf0a27..175d22880 100644
--- a/ansible/roles/kolla/defaults/main.yml
+++ b/ansible/roles/kolla/defaults/main.yml
@@ -19,6 +19,9 @@ kolla_venv: "{{ ansible_env['PWD'] }}/kolla-venv"
 # into the kolla venv.
 kolla_upper_constraints_file:
 
+# Whether to install the epel-release package.
+kolla_install_epel: true
+
 # Directory where Kolla config files will be installed.
 kolla_build_config_path:
 
diff --git a/ansible/roles/kolla/tasks/install.yml b/ansible/roles/kolla/tasks/install.yml
index c1af395dc..8c1a620fe 100644
--- a/ansible/roles/kolla/tasks/install.yml
+++ b/ansible/roles/kolla/tasks/install.yml
@@ -4,6 +4,9 @@
     name: epel-release
     state: installed
   become: True
+  when:
+    - ansible_os_family == 'RedHat'
+    - kolla_install_epel | bool
 
 - name: Ensure required packages are installed
   yum:
diff --git a/ansible/seed-introspection-rules.yml b/ansible/seed-introspection-rules.yml
index fa906e572..538ccafc8 100644
--- a/ansible/seed-introspection-rules.yml
+++ b/ansible/seed-introspection-rules.yml
@@ -5,6 +5,7 @@
     - introspection-rules
   roles:
     - role: ironic-inspector-rules
+      os_shade_install_epel: "{{ yum_install_epel }}"
       ironic_inspector_venv: "{{ virtualenv_path }}/shade"
       # No auth required for Bifrost.
       ironic_inspector_auth_type: None
diff --git a/ansible/test-image-centos-cloud.yml b/ansible/test-image-centos-cloud.yml
index 6d9904e05..a0129e06b 100644
--- a/ansible/test-image-centos-cloud.yml
+++ b/ansible/test-image-centos-cloud.yml
@@ -5,6 +5,7 @@
     os_shade_venv: "{{ virtualenv_path }}/shade"
   roles:
     - role: stackhpc.os-shade
+      os_shade_install_epel: "{{ yum_install_epel }}"
   tasks:
     - name: Ensure image download directory exists
       file:
diff --git a/ansible/test-image.yml b/ansible/test-image.yml
index 5a4ea4238..881d7e048 100644
--- a/ansible/test-image.yml
+++ b/ansible/test-image.yml
@@ -19,6 +19,7 @@
     os_shade_venv: "{{ virtualenv_path }}/shade"
   roles:
     - role: stackhpc.os-shade
+      os_shade_install_epel: "{{ yum_install_epel }}"
   tasks:
     - name: Ensure diskimage-builder package is installed
       yum:
diff --git a/ansible/test-keypair.yml b/ansible/test-keypair.yml
index a0a6c28ee..4afc43f4d 100644
--- a/ansible/test-keypair.yml
+++ b/ansible/test-keypair.yml
@@ -6,6 +6,7 @@
     os_shade_venv: "{{ virtualenv_path }}/shade"
   roles:
     - role: stackhpc.os-shade
+      os_shade_install_epel: "{{ yum_install_epel }}"
   tasks:
     # Note that setting this via a play or task variable seems to not
     # evaluate the Jinja variable reference, so we use set_fact.
diff --git a/etc/kayobe/yum.yml b/etc/kayobe/yum.yml
index 66832d3c0..2bc32017d 100644
--- a/etc/kayobe/yum.yml
+++ b/etc/kayobe/yum.yml
@@ -2,8 +2,10 @@
 
 # Whether or not to use a local Yum mirror.
 #yum_use_local_mirror: false
+
 # Mirror FQDN for Yum repos.
 #yum_centos_mirror_host: 'mirror.centos.org'
+
 # Mirror directory for Yum CentOS repos.
 #yum_centos_mirror_directory: 'centos'
 # Mirror FQDN for Yum EPEL repos.
@@ -22,6 +24,10 @@
 #     gpgcheck: yes
 #yum_custom_repos:
 
+# Whether to install the epel-release package. This affects RedHat-based
+# systems only.
+#yum_install_epel:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
diff --git a/releasenotes/notes/optional-epel-release-92eaf3dc4aa1021b.yaml b/releasenotes/notes/optional-epel-release-92eaf3dc4aa1021b.yaml
new file mode 100644
index 000000000..b33752ffc
--- /dev/null
+++ b/releasenotes/notes/optional-epel-release-92eaf3dc4aa1021b.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds support for skipping installation of the ``epel-release`` package, by
+    setting ``yum_install_epel`` to ``false``.  In some cases this is
+    desirable, such as when a local EPEL mirror is available, or access to the
+    public repositories is not possible.