diff --git a/pkg/controller/worker/machines.go b/pkg/controller/worker/machines.go
index 58d3ed11..0c69366c 100644
--- a/pkg/controller/worker/machines.go
+++ b/pkg/controller/worker/machines.go
@@ -27,7 +27,7 @@ import (
 
 // DeployMachineClasses generates and creates the ironcore specific machine classes.
 func (w *workerDelegate) DeployMachineClasses(ctx context.Context) error {
-	machineClasses, machineClassSecrets, err := w.generateMachineClassAndSecrets()
+	machineClasses, machineClassSecrets, err := w.generateMachineClassAndSecrets(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to generate machine classes and machine class secrets: %w", err)
 	}
@@ -85,7 +85,7 @@ func (w *workerDelegate) GenerateMachineDeployments(ctx context.Context) (worker
 	return machineDeployments, nil
 }
 
-func (w *workerDelegate) generateMachineClassAndSecrets() ([]*machinecontrollerv1alpha1.MachineClass, []*corev1.Secret, error) {
+func (w *workerDelegate) generateMachineClassAndSecrets(ctx context.Context) ([]*machinecontrollerv1alpha1.MachineClass, []*corev1.Secret, error) {
 	var (
 		machineClasses      []*machinecontrollerv1alpha1.MachineClass
 		machineClassSecrets []*corev1.Secret
@@ -150,6 +150,11 @@ func (w *workerDelegate) generateMachineClassAndSecrets() ([]*machinecontrollerv
 				return nil, nil, fmt.Errorf("failed to marshal machine class for machine pool %s: %w", pool.Name, err)
 			}
 
+			userData, err := worker.FetchUserData(ctx, w.client, w.worker.Namespace, pool)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to fetch user data for machine pool %s: %w", pool.Name, err)
+			}
+
 			machineClass := &machinecontrollerv1alpha1.MachineClass{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      className,
@@ -177,7 +182,7 @@ func (w *workerDelegate) generateMachineClassAndSecrets() ([]*machinecontrollerv
 					Labels:    map[string]string{v1beta1constants.GardenerPurpose: v1beta1constants.GardenPurposeMachineClass},
 				},
 				Data: map[string][]byte{
-					ironcore.UserDataFieldName: pool.UserData,
+					ironcore.UserDataFieldName: userData,
 				},
 			}
 
diff --git a/pkg/controller/worker/suite_test.go b/pkg/controller/worker/suite_test.go
index 75bfe4a1..b2f80064 100644
--- a/pkg/controller/worker/suite_test.go
+++ b/pkg/controller/worker/suite_test.go
@@ -121,11 +121,13 @@ var _ = BeforeSuite(func() {
 })
 
 var (
-	volumeName      = "test-volume"
-	volumeSize      = "10Gi"
-	volumeType      = "fast"
-	volumeEncrypted = true
-	datVolumeName   = "volume-1"
+	volumeName            = "test-volume"
+	volumeSize            = "10Gi"
+	volumeType            = "fast"
+	volumeEncrypted       = true
+	datVolumeName         = "volume-1"
+	userDataSecretName    = "userdata-secret-name"
+	userDataSecretDataKey = "userdata-secret-key"
 )
 
 func SetupTest() (*corev1.Namespace, *gardener.ChartApplier) {
@@ -147,6 +149,18 @@ func SetupTest() (*corev1.Namespace, *gardener.ChartApplier) {
 		chartApplier, err = gardener.NewChartApplierForConfig(cfg)
 		Expect(err).NotTo(HaveOccurred())
 
+		userDataSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns.Name,
+				Name:      userDataSecretName,
+			},
+			Data: map[string][]byte{
+				userDataSecretDataKey: []byte("some-data"),
+			},
+		}
+		Expect(k8sClient.Create(ctx, userDataSecret)).To(Succeed())
+		DeferCleanup(k8sClient.Delete, userDataSecret)
+
 		// define test resources
 		pool = gardenerextensionv1alpha1.WorkerPool{
 			MachineType:    "foo",
@@ -159,9 +173,12 @@ func SetupTest() (*corev1.Namespace, *gardener.ChartApplier) {
 				Name:    "my-os",
 				Version: "1.0",
 			},
-			Minimum:  0,
-			Name:     "pool",
-			UserData: []byte("some-data"),
+			Minimum: 0,
+			Name:    "pool",
+			UserDataSecretRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{Name: userDataSecretName},
+				Key:                  userDataSecretDataKey,
+			},
 			Volume: &gardenerextensionv1alpha1.Volume{
 				Name:      &volumeName,
 				Type:      &volumeType,