diff --git a/handlers/main.yml b/handlers/main.yml
index 4d9b7a57..e117ab62 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -23,6 +23,15 @@
   listen:
     - "venv changed"
 
+# NOTE (noonedeadpunk): Remove this task after Xena release
+- name: Remove obsoleted policy.json
+  file:
+    path: "/etc/ironic/policy.json"
+    state: absent
+  listen:
+    - "Restart ironic services"
+    - "venv changed"
+
 - name: Restart tftpd
   service:
     name: "{{ ironic_tftpd_service_name }}"
diff --git a/tasks/ironic_post_install.yml b/tasks/ironic_post_install.yml
index ea283bbf..b0262437 100644
--- a/tasks/ironic_post_install.yml
+++ b/tasks/ironic_post_install.yml
@@ -120,12 +120,27 @@
     - Restart ironic services
     - Restart uwsgi services
 
-- name: Implement policy.json
-  copy:
-    content: "{{ ironic_policy_overrides | to_nice_json }}"
-    dest: "/etc/ironic/policy.json"
+- name: Implement policy.yaml
+  config_template:
+    content: "{{ ironic_policy_overrides }}"
+    dest: "/etc/ironic/policy.yaml"
+    owner: "{{ ironic_system_user_name }}"
+    group: "{{ ironic_system_group_name }}"
+    mode: "0644"
+    config_type: yaml
   when:
-    - ironic_policy_overrides != {}
+    - ironic_policy_overrides | length > 0
+  tags:
+    - ironic-policy-override
+
+- name: Remove legacy policy.yaml file
+  file:
+    path: "/etc/ironic/policy.yaml"
+    state: absent
+  when:
+    - ironic_policy_overrides | length == 0
+  tags:
+    - ironic-policy-override
 
 - name: Copy rootwrap filters
   copy: