diff --git a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
index 91b78b75f61..67b9c5b8e78 100644
--- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
@@ -320,11 +320,14 @@
 - name: Verify that the packages list structure is valid
   ansible.utils.validate:
     criteria: "{{ lookup('file', 'pkgs-schema.json') }}"
-    data: "{{ pkgs }}"
+    data: "{{ os_pkgs }}"
 
-- name: Verify that the packages list is sorted
+- name: Verify that package lists are sorted
   vars:
-    pkgs_lists: "{{ pkgs.keys() | list }}"
+    pkgs_lists: "{{ lookup('vars', item + '_pkgs').keys() | list }}"
   assert:
     that: "pkgs_lists | sort == pkgs_lists"
     fail_msg: "pkgs is not sorted: {{ pkgs_lists | ansible.utils.fact_diff(pkgs_lists | sort) }}"
+  loop:
+    - os
+    - python
diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
index 7085ffb0c49..5de87a61336 100644
--- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
+++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
@@ -59,12 +59,13 @@
   tags:
     - bootstrap-os
 
-- name: Install packages requirements
+- name: Install requirements
+  tags:
+    - bootstrap-os
   vars:
     # The json_query for selecting packages name is split for readability
     # see files/pkgs-schema.json for the structure of `pkgs`
     # and the matching semantics
-    full_query: "[? value | (enabled == null || enabled) && ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key"
     filters_groups: "groups | @ == null || [? contains(`{{ group_names }}`, @)]"
     filters_os: "os == null || (os | ( {{ filters_family }} ) || ( {{ filters_distro }} ))"
     dquote: !unsafe '"'
@@ -75,12 +76,30 @@
                           contains(not_null(versions, `[]`), '{{ ansible_distribution_version }}') ||
                           contains(not_null(releases, `[]`), '{{ ansible_distribution_release }}')"
     filters_family: "families && contains(families, '{{ ansible_os_family }}')"
-  package:
-    name: "{{ pkgs | dict2items | to_json|from_json | community.general.json_query(full_query) }}"
-    state: present
-  register: pkgs_task_result
-  until: pkgs_task_result is succeeded
-  retries: "{{ pkg_install_retries }}"
-  delay: "{{ retry_stagger | random + 3 }}"
-  tags:
-    - bootstrap-os
+    to_install: "{{ pkgs | dict2items | to_json|from_json | community.general.json_query(full_query) }}"
+  block:
+    - name: Install system packages
+      vars:
+        full_query: "[? value | (enabled == null || enabled) && ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key"
+        pkgs: "{{ os_pkgs }}"
+      package:
+        name: "{{ to_install }}"
+        state: present
+      register: pkgs_task_result
+      until: pkgs_task_result is succeeded
+      retries: "{{ pkg_install_retries }}"
+      delay: "{{ retry_stagger | random + 3 }}"
+    - name: Install virtualenv with needed packages
+      vars:
+        full_query: "[? value | ( {{ filters_groups }} ) ].key"
+        pkgs: "{{ python_pkgs }}"
+      ansible.builtin.pip:
+        name: "{{ to_install }}"
+        extra_args: "--only-binary :all:"
+        # FIXME: add --no-deps and --requires-hashes, use a fully resolved stack with hashes
+        # (see https://pip.pypa.io/en/stable/topics/secure-installs/)
+        virtualenv_site_packages: true
+        virtualenv: "{{ kubespray_virtualenv }}"
+        virtualenv_command: "{{ ansible_facts.python.executable }} -m venv"
+      when:
+        - to_install | length != 0
diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml
index 28ee56a2786..ca8f2192737 100644
--- a/roles/kubernetes/preinstall/vars/main.yml
+++ b/roles/kubernetes/preinstall/vars/main.yml
@@ -1,5 +1,5 @@
 ---
-pkgs:
+os_pkgs:
   apparmor: &debian_family_base
     os:
       families:
@@ -104,3 +104,5 @@ pkgs:
   tar: {}
   unzip: {}
   xfsprogs: {}
+
+python_pkgs: {}
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index ed71d8a066f..ae0a08eb6f3 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -6,6 +6,8 @@ ansible_ssh_common_args: "{% if 'bastion' in groups['all'] %} -o ProxyCommand='s
 # selinux state
 preinstall_selinux_state: permissive
 
+kubespray_virtualenv: "/opt/virtualenvs/kubespray"
+
 # Setting this value to false will fail
 # For details, read this comment https://github.com/kubernetes-sigs/kubespray/pull/11016#issuecomment-2004985001
 kube_api_anonymous_auth: true