diff --git a/pkg/operation/botanist/component/clusterautoscaler/cluster_autoscaler.go b/pkg/operation/botanist/component/clusterautoscaler/cluster_autoscaler.go
index bf7ee29c0c4..19f943b23e6 100644
--- a/pkg/operation/botanist/component/clusterautoscaler/cluster_autoscaler.go
+++ b/pkg/operation/botanist/component/clusterautoscaler/cluster_autoscaler.go
@@ -89,7 +89,7 @@ func New(
 		image:                         image,
 		replicas:                      replicas,
 		config:                        config,
-		runtimeVersionGreaterEqual123: versionutils.ConstraintK8sGreaterEqual123.Check(runtimeKubernetesVersion),
+		runtimeVersionGreaterEqual121: versionutils.ConstraintK8sGreaterEqual121.Check(runtimeKubernetesVersion),
 	}
 }
 
@@ -101,7 +101,7 @@ type clusterAutoscaler struct {
 	replicas       int32
 	config         *gardencorev1beta1.ClusterAutoscaler
 
-	runtimeVersionGreaterEqual123 bool
+	runtimeVersionGreaterEqual121 bool
 	namespaceUID                  types.UID
 	machineDeployments            []extensionsv1alpha1.MachineDeployment
 }
@@ -358,7 +358,7 @@ func (c *clusterAutoscaler) emptyDeployment() *appsv1.Deployment {
 func (c *clusterAutoscaler) emptyPodDisruptionBudget() client.Object {
 	objectMeta := metav1.ObjectMeta{Name: v1beta1constants.DeploymentNameClusterAutoscaler, Namespace: c.namespace}
 
-	if c.runtimeVersionGreaterEqual123 {
+	if c.runtimeVersionGreaterEqual121 {
 		return &policyv1.PodDisruptionBudget{ObjectMeta: objectMeta}
 	}
 	return &policyv1beta1.PodDisruptionBudget{ObjectMeta: objectMeta}
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/bootstrap.go b/pkg/operation/botanist/component/machinecontrollermanager/bootstrap.go
new file mode 100644
index 00000000000..1df0f15ac9a
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/bootstrap.go
@@ -0,0 +1,113 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager
+
+import (
+	"context"
+	"time"
+
+	machinev1alpha1 "github.com/gardener/machine-controller-manager/pkg/apis/machine/v1alpha1"
+	coordinationv1 "k8s.io/api/coordination/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/gardener/gardener/pkg/client/kubernetes"
+	"github.com/gardener/gardener/pkg/operation/botanist/component"
+	"github.com/gardener/gardener/pkg/utils/managedresources"
+)
+
+const (
+	managedResourceControlName = "machine-controller-manager"
+	clusterRoleName            = "system:machine-controller-manager-runtime"
+)
+
+// NewBootstrapper creates a new instance of DeployWaiter for the machine-controller-manager bootstrapper.
+func NewBootstrapper(client client.Client, namespace string) component.DeployWaiter {
+	return &bootstrapper{
+		client:    client,
+		namespace: namespace,
+	}
+}
+
+type bootstrapper struct {
+	client    client.Client
+	namespace string
+}
+
+func (b *bootstrapper) Deploy(ctx context.Context) error {
+	var (
+		registry = managedresources.NewRegistry(kubernetes.SeedScheme, kubernetes.SeedCodec, kubernetes.SeedSerializer)
+
+		clusterRole = &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: clusterRoleName,
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{machinev1alpha1.GroupName},
+					Resources: []string{"*"},
+					Verbs:     []string{"*"},
+				},
+				{
+					APIGroups: []string{corev1.GroupName},
+					Resources: []string{"configmaps", "secrets", "endpoints", "events", "pods"},
+					Verbs:     []string{"*"},
+				},
+				{
+					APIGroups: []string{coordinationv1.GroupName},
+					Resources: []string{"leases"},
+					Verbs:     []string{"create"},
+				},
+				{
+					APIGroups:     []string{coordinationv1.GroupName},
+					Resources:     []string{"leases"},
+					Verbs:         []string{"get", "watch", "update"},
+					ResourceNames: []string{"machine-controller", "machine-controller-manager"},
+				},
+			},
+		}
+	)
+
+	resources, err := registry.AddAllAndSerialize(clusterRole)
+	if err != nil {
+		return err
+	}
+
+	return managedresources.CreateForSeed(ctx, b.client, b.namespace, managedResourceControlName, false, resources)
+}
+
+func (b *bootstrapper) Destroy(ctx context.Context) error {
+	return managedresources.DeleteForSeed(ctx, b.client, b.namespace, managedResourceControlName)
+}
+
+// TimeoutWaitForManagedResource is the timeout used while waiting for the ManagedResources to become healthy
+// or deleted.
+var TimeoutWaitForManagedResource = 2 * time.Minute
+
+func (b *bootstrapper) Wait(ctx context.Context) error {
+	timeoutCtx, cancel := context.WithTimeout(ctx, TimeoutWaitForManagedResource)
+	defer cancel()
+
+	return managedresources.WaitUntilHealthy(timeoutCtx, b.client, b.namespace, managedResourceControlName)
+}
+
+func (b *bootstrapper) WaitCleanup(ctx context.Context) error {
+	timeoutCtx, cancel := context.WithTimeout(ctx, TimeoutWaitForManagedResource)
+	defer cancel()
+
+	return managedresources.WaitUntilDeleted(timeoutCtx, b.client, b.namespace, managedResourceControlName)
+}
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/bootstrap_test.go b/pkg/operation/botanist/component/machinecontrollermanager/bootstrap_test.go
new file mode 100644
index 00000000000..b84438b6b09
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/bootstrap_test.go
@@ -0,0 +1,245 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager_test
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
+	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
+	"github.com/gardener/gardener/pkg/client/kubernetes"
+	"github.com/gardener/gardener/pkg/operation/botanist/component"
+	. "github.com/gardener/gardener/pkg/operation/botanist/component/machinecontrollermanager"
+	"github.com/gardener/gardener/pkg/utils/retry"
+	retryfake "github.com/gardener/gardener/pkg/utils/retry/fake"
+	"github.com/gardener/gardener/pkg/utils/test"
+	. "github.com/gardener/gardener/pkg/utils/test/matchers"
+)
+
+var _ = Describe("Bootstrap", func() {
+	var (
+		ctx = context.TODO()
+
+		managedResourceName = "machine-controller-manager"
+		namespace           = "some-namespace"
+
+		fakeClient client.Client
+		mcm        component.DeployWaiter
+
+		managedResource       *resourcesv1alpha1.ManagedResource
+		managedResourceSecret *corev1.Secret
+
+		clusterRoleYAML = `apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: system:machine-controller-manager-runtime
+rules:
+- apiGroups:
+  - machine.sapcloud.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - endpoints
+  - events
+  - pods
+  verbs:
+  - '*'
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - machine-controller
+  - machine-controller-manager
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - update
+`
+	)
+
+	BeforeEach(func() {
+		fakeClient = fakeclient.NewClientBuilder().WithScheme(kubernetes.SeedScheme).Build()
+		mcm = NewBootstrapper(fakeClient, namespace)
+
+		managedResource = &resourcesv1alpha1.ManagedResource{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      managedResourceName,
+				Namespace: namespace,
+			},
+		}
+		managedResourceSecret = &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "managedresource-" + managedResource.Name,
+				Namespace: namespace,
+			},
+		}
+	})
+
+	Describe("#Deploy", func() {
+		It("should successfully deploy all resources", func() {
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResource), managedResource)).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResourceSecret), managedResourceSecret)).To(BeNotFoundError())
+
+			Expect(mcm.Deploy(ctx)).To(Succeed())
+
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResource), managedResource)).To(Succeed())
+			Expect(managedResource).To(Equal(&resourcesv1alpha1.ManagedResource{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: resourcesv1alpha1.SchemeGroupVersion.String(),
+					Kind:       "ManagedResource",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            managedResource.Name,
+					Namespace:       managedResource.Namespace,
+					ResourceVersion: "1",
+					Labels:          map[string]string{"gardener.cloud/role": "seed-system-component"},
+				},
+				Spec: resourcesv1alpha1.ManagedResourceSpec{
+					Class:       pointer.String("seed"),
+					SecretRefs:  []corev1.LocalObjectReference{{Name: managedResourceSecret.Name}},
+					KeepObjects: pointer.Bool(false),
+				},
+			}))
+
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResourceSecret), managedResourceSecret)).To(Succeed())
+			Expect(managedResourceSecret.Type).To(Equal(corev1.SecretTypeOpaque))
+			Expect(managedResourceSecret.Data).To(HaveLen(1))
+			Expect(string(managedResourceSecret.Data["clusterrole____system_machine-controller-manager-runtime.yaml"])).To(Equal(clusterRoleYAML))
+		})
+	})
+
+	Describe("#Destroy", func() {
+		It("should successfully destroy all resources", func() {
+			Expect(fakeClient.Create(ctx, managedResource)).To(Succeed())
+			Expect(fakeClient.Create(ctx, managedResourceSecret)).To(Succeed())
+
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResource), managedResource)).To(Succeed())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResourceSecret), managedResourceSecret)).To(Succeed())
+
+			Expect(mcm.Destroy(ctx)).To(Succeed())
+
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResource), managedResource)).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResourceSecret), managedResourceSecret)).To(BeNotFoundError())
+		})
+	})
+
+	Context("waiting functions", func() {
+		var fakeOps *retryfake.Ops
+
+		BeforeEach(func() {
+			fakeOps = &retryfake.Ops{MaxAttempts: 1}
+			DeferCleanup(test.WithVars(
+				&retry.Until, fakeOps.Until,
+				&retry.UntilTimeout, fakeOps.UntilTimeout,
+			))
+		})
+
+		Describe("#Wait", func() {
+			It("should fail because reading the ManagedResource fails", func() {
+				Expect(mcm.Wait(ctx)).To(MatchError(ContainSubstring("not found")))
+			})
+
+			It("should fail because the ManagedResource doesn't become healthy", func() {
+				fakeOps.MaxAttempts = 2
+
+				Expect(fakeClient.Create(ctx, &resourcesv1alpha1.ManagedResource{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       managedResourceName,
+						Namespace:  namespace,
+						Generation: 1,
+					},
+					Status: resourcesv1alpha1.ManagedResourceStatus{
+						ObservedGeneration: 1,
+						Conditions: []gardencorev1beta1.Condition{
+							{
+								Type:   resourcesv1alpha1.ResourcesApplied,
+								Status: gardencorev1beta1.ConditionFalse,
+							},
+							{
+								Type:   resourcesv1alpha1.ResourcesHealthy,
+								Status: gardencorev1beta1.ConditionFalse,
+							},
+						},
+					},
+				})).To(Succeed())
+
+				Expect(mcm.Wait(ctx)).To(MatchError(ContainSubstring("is not healthy")))
+			})
+
+			It("should successfully wait for the managed resource to become healthy", func() {
+				fakeOps.MaxAttempts = 2
+
+				Expect(fakeClient.Create(ctx, &resourcesv1alpha1.ManagedResource{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       managedResourceName,
+						Namespace:  namespace,
+						Generation: 1,
+					},
+					Status: resourcesv1alpha1.ManagedResourceStatus{
+						ObservedGeneration: 1,
+						Conditions: []gardencorev1beta1.Condition{
+							{
+								Type:   resourcesv1alpha1.ResourcesApplied,
+								Status: gardencorev1beta1.ConditionTrue,
+							},
+							{
+								Type:   resourcesv1alpha1.ResourcesHealthy,
+								Status: gardencorev1beta1.ConditionTrue,
+							},
+						},
+					},
+				})).To(Succeed())
+
+				Expect(mcm.Wait(ctx)).To(Succeed())
+			})
+		})
+
+		Describe("#WaitCleanup", func() {
+			It("should fail when the wait for the managed resource deletion times out", func() {
+				fakeOps.MaxAttempts = 2
+
+				Expect(fakeClient.Create(ctx, managedResource)).To(Succeed())
+
+				Expect(mcm.WaitCleanup(ctx)).To(MatchError(ContainSubstring("still exists")))
+			})
+
+			It("should not return an error when it's already removed", func() {
+				Expect(mcm.WaitCleanup(ctx)).To(Succeed())
+			})
+		})
+	})
+})
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/logging.go b/pkg/operation/botanist/component/machinecontrollermanager/logging.go
new file mode 100644
index 00000000000..4078abe3126
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/logging.go
@@ -0,0 +1,48 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager
+
+import (
+	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
+	"github.com/gardener/gardener/pkg/operation/botanist/component"
+)
+
+const (
+	loggingParserName = "machineControllerManagerParser"
+	loggingParser     = `[PARSER]
+    Name        ` + loggingParserName + `
+    Format      regex
+    Regex       ^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<log>.*)$
+    Time_Key    time
+    Time_Format %m%d %H:%M:%S.%L
+`
+	loggingFilter = `[FILTER]
+    Name                parser
+    Match               kubernetes.*` + v1beta1constants.DeploymentNameMachineControllerManager + `*` + containerName + `*
+    Key_Name            log
+    Parser              ` + loggingParserName + `
+    Reserve_Data        True
+`
+)
+
+// CentralLoggingConfiguration returns a fluent-bit parser and filter for the machine-controller-manager logs.
+func CentralLoggingConfiguration() (component.CentralLoggingConfig, error) {
+	return component.CentralLoggingConfig{
+		Filters:     loggingFilter,
+		Parsers:     loggingParser,
+		UserExposed: true,
+		PodPrefixes: []string{v1beta1constants.DeploymentNameMachineControllerManager},
+	}, nil
+}
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/logging_test.go b/pkg/operation/botanist/component/machinecontrollermanager/logging_test.go
new file mode 100644
index 00000000000..92440be7140
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/logging_test.go
@@ -0,0 +1,49 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	. "github.com/gardener/gardener/pkg/operation/botanist/component/machinecontrollermanager"
+)
+
+var _ = Describe("Logging", func() {
+	Describe("#CentralLoggingConfiguration", func() {
+		It("should return the expected logging parser and filter", func() {
+			loggingConfig, err := CentralLoggingConfiguration()
+
+			Expect(err).NotTo(HaveOccurred())
+			Expect(loggingConfig.Parsers).To(Equal(`[PARSER]
+    Name        machineControllerManagerParser
+    Format      regex
+    Regex       ^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<log>.*)$
+    Time_Key    time
+    Time_Format %m%d %H:%M:%S.%L
+`))
+
+			Expect(loggingConfig.Filters).To(Equal(`[FILTER]
+    Name                parser
+    Match               kubernetes.*machine-controller-manager*machine-controller-manager*
+    Key_Name            log
+    Parser              machineControllerManagerParser
+    Reserve_Data        True
+`))
+			Expect(loggingConfig.UserExposed).To(BeTrue())
+			Expect(loggingConfig.PodPrefixes).To(ConsistOf("machine-controller-manager"))
+		})
+	})
+})
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager.go b/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager.go
new file mode 100644
index 00000000000..9720f74d54f
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager.go
@@ -0,0 +1,512 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/Masterminds/semver"
+	appsv1 "k8s.io/api/apps/v1"
+	autoscalingv1 "k8s.io/api/autoscaling/v1"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
+	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
+	"github.com/gardener/gardener/pkg/client/kubernetes"
+	"github.com/gardener/gardener/pkg/controllerutils"
+	"github.com/gardener/gardener/pkg/operation/botanist/component"
+	kubeapiserverconstants "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver/constants"
+	"github.com/gardener/gardener/pkg/utils"
+	gardenerutils "github.com/gardener/gardener/pkg/utils/gardener"
+	kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
+	"github.com/gardener/gardener/pkg/utils/kubernetes/health"
+	"github.com/gardener/gardener/pkg/utils/managedresources"
+	"github.com/gardener/gardener/pkg/utils/retry"
+	secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager"
+	versionutils "github.com/gardener/gardener/pkg/utils/version"
+)
+
+const (
+	portMetrics               = 10258
+	portNameMetrics           = "metrics"
+	containerName             = "machine-controller-manager"
+	serviceName               = "machine-controller-manager"
+	managedResourceTargetName = "shoot-core-machine-controller-manager"
+)
+
+// Interface contains functions for a machine-controller-manager deployer.
+type Interface interface {
+	component.DeployWaiter
+	component.MonitoringComponent
+	// SetNamespaceUID sets the UID of the namespace into which the cluster-autoscaler shall be deployed.
+	SetNamespaceUID(types.UID)
+}
+
+// New creates a new instance of DeployWaiter for the machine-controller-manager.
+func New(
+	client client.Client,
+	namespace string,
+	secretsManager secretsmanager.Interface,
+	values Values,
+) Interface {
+	return &machineControllerManager{
+		client:                        client,
+		namespace:                     namespace,
+		secretsManager:                secretsManager,
+		values:                        values,
+		runtimeVersionGreaterEqual121: versionutils.ConstraintK8sGreaterEqual121.Check(values.RuntimeKubernetesVersion),
+	}
+}
+
+type machineControllerManager struct {
+	client         client.Client
+	namespace      string
+	secretsManager secretsmanager.Interface
+	values         Values
+
+	runtimeVersionGreaterEqual121 bool
+}
+
+// Values is a set of configuration values for the machine-controller-manager component.
+type Values struct {
+	// Image is the container image used for machine-controller-manager.
+	Image string
+	// Replicas is the number of replicas for the deployment.
+	Replicas int32
+	// RuntimeKubernetesVersion is the Kubernetes version of the runtime cluster.
+	RuntimeKubernetesVersion *semver.Version
+
+	namespaceUID types.UID
+}
+
+func (m *machineControllerManager) Deploy(ctx context.Context) error {
+	var (
+		shootAccessSecret   = m.newShootAccessSecret()
+		serviceAccount      = m.emptyServiceAccount()
+		clusterRoleBinding  = m.emptyClusterRoleBindingRuntime()
+		service             = m.emptyService()
+		deployment          = m.emptyDeployment()
+		podDisruptionBudget = m.emptyPodDisruptionBudget()
+		vpa                 = m.emptyVPA()
+
+		vpaUpdateMode       = vpaautoscalingv1.UpdateModeAuto
+		vpaControlledValues = vpaautoscalingv1.ContainerControlledValuesRequestsOnly
+	)
+
+	genericTokenKubeconfigSecret, found := m.secretsManager.Get(v1beta1constants.SecretNameGenericTokenKubeconfig)
+	if !found {
+		return fmt.Errorf("secret %q not found", v1beta1constants.SecretNameGenericTokenKubeconfig)
+	}
+
+	if _, err := controllerutils.GetAndCreateOrStrategicMergePatch(ctx, m.client, serviceAccount, func() error {
+		serviceAccount.AutomountServiceAccountToken = pointer.Bool(false)
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if _, err := controllerutils.GetAndCreateOrStrategicMergePatch(ctx, m.client, clusterRoleBinding, func() error {
+		clusterRoleBinding.OwnerReferences = []metav1.OwnerReference{{
+			APIVersion:         "v1",
+			Kind:               "Namespace",
+			Name:               m.namespace,
+			UID:                m.values.namespaceUID,
+			Controller:         pointer.Bool(true),
+			BlockOwnerDeletion: pointer.Bool(true),
+		}}
+		clusterRoleBinding.RoleRef = rbacv1.RoleRef{
+			APIGroup: rbacv1.GroupName,
+			Kind:     "ClusterRole",
+			Name:     clusterRoleName,
+		}
+		clusterRoleBinding.Subjects = []rbacv1.Subject{{
+			Kind:      rbacv1.ServiceAccountKind,
+			Name:      serviceAccount.Name,
+			Namespace: m.namespace,
+		}}
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, m.client, service, func() error {
+		service.Labels = utils.MergeStringMaps(service.Labels, getLabels())
+
+		utilruntime.Must(gardenerutils.InjectNetworkPolicyAnnotationsForScrapeTargets(service, networkingv1.NetworkPolicyPort{
+			Port:     utils.IntStrPtrFromInt(portMetrics),
+			Protocol: utils.ProtocolPtr(corev1.ProtocolTCP),
+		}))
+
+		service.Spec.Selector = getLabels()
+		service.Spec.Type = corev1.ServiceTypeClusterIP
+		service.Spec.ClusterIP = corev1.ClusterIPNone
+		desiredPorts := []corev1.ServicePort{{
+			Name:     portNameMetrics,
+			Protocol: corev1.ProtocolTCP,
+			Port:     portMetrics,
+		}}
+		service.Spec.Ports = kubernetesutils.ReconcileServicePorts(service.Spec.Ports, desiredPorts, corev1.ServiceTypeClusterIP)
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if err := shootAccessSecret.Reconcile(ctx, m.client); err != nil {
+		return err
+	}
+
+	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, m.client, deployment, func() error {
+		deployment.Labels = utils.MergeStringMaps(deployment.Labels, getLabels(), map[string]string{
+			resourcesv1alpha1.HighAvailabilityConfigType: resourcesv1alpha1.HighAvailabilityConfigTypeController,
+		})
+		deployment.Spec.Replicas = &m.values.Replicas
+		deployment.Spec.RevisionHistoryLimit = pointer.Int32(2)
+		deployment.Spec.Selector = &metav1.LabelSelector{MatchLabels: getLabels()}
+		deployment.Spec.Template = corev1.PodTemplateSpec{
+			ObjectMeta: metav1.ObjectMeta{
+				Labels: utils.MergeStringMaps(getLabels(), map[string]string{
+					v1beta1constants.GardenRole:                                                                                 v1beta1constants.GardenRoleControlPlane,
+					v1beta1constants.LabelPodMaintenanceRestart:                                                                 "true",
+					v1beta1constants.LabelNetworkPolicyToDNS:                                                                    v1beta1constants.LabelNetworkPolicyAllowed,
+					v1beta1constants.LabelNetworkPolicyToPublicNetworks:                                                         v1beta1constants.LabelNetworkPolicyAllowed,
+					v1beta1constants.LabelNetworkPolicyToPrivateNetworks:                                                        v1beta1constants.LabelNetworkPolicyAllowed,
+					v1beta1constants.LabelNetworkPolicyToRuntimeAPIServer:                                                       v1beta1constants.LabelNetworkPolicyAllowed,
+					gardenerutils.NetworkPolicyLabel(v1beta1constants.DeploymentNameKubeAPIServer, kubeapiserverconstants.Port): v1beta1constants.LabelNetworkPolicyAllowed,
+				}),
+			},
+			Spec: corev1.PodSpec{
+				Containers: []corev1.Container{{
+					Name:            containerName,
+					Image:           m.values.Image,
+					ImagePullPolicy: corev1.PullIfNotPresent,
+					Command: []string{
+						"./machine-controller-manager",
+						"--control-kubeconfig=inClusterConfig",
+						"--delete-migrated-machine-class=true",
+						"--machine-safety-apiserver-statuscheck-timeout=30s",
+						"--machine-safety-apiserver-statuscheck-period=1m",
+						"--machine-safety-orphan-vms-period=30m",
+						"--machine-safety-overshooting-period=1m",
+						"--namespace=" + m.namespace,
+						fmt.Sprintf("--port=%d", portMetrics),
+						"--safety-up=2",
+						"--safety-down=1",
+						"--target-kubeconfig=" + gardenerutils.PathGenericKubeconfig,
+						"--v=3",
+					},
+					LivenessProbe: &corev1.Probe{
+						ProbeHandler: corev1.ProbeHandler{
+							HTTPGet: &corev1.HTTPGetAction{
+								Path:   "/healthz",
+								Port:   intstr.FromInt(portMetrics),
+								Scheme: corev1.URISchemeHTTP,
+							},
+						},
+						FailureThreshold:    3,
+						InitialDelaySeconds: 30,
+						PeriodSeconds:       10,
+						SuccessThreshold:    1,
+						TimeoutSeconds:      5,
+					},
+					Ports: []corev1.ContainerPort{{
+						Name:          portNameMetrics,
+						ContainerPort: portMetrics,
+						Protocol:      corev1.ProtocolTCP,
+					}},
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("31m"),
+							corev1.ResourceMemory: resource.MustParse("70Mi"),
+						},
+						Limits: corev1.ResourceList{
+							corev1.ResourceMemory: resource.MustParse("1024Mi"),
+						},
+					}},
+				},
+				PriorityClassName:             v1beta1constants.PriorityClassNameShootControlPlane300,
+				ServiceAccountName:            serviceAccount.Name,
+				TerminationGracePeriodSeconds: pointer.Int64(5),
+			},
+		}
+
+		utilruntime.Must(gardenerutils.InjectGenericKubeconfig(deployment, genericTokenKubeconfigSecret.Name, shootAccessSecret.Secret.Name))
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, m.client, podDisruptionBudget, func() error {
+		switch pdb := podDisruptionBudget.(type) {
+		case *policyv1.PodDisruptionBudget:
+			pdb.Labels = utils.MergeStringMaps(pdb.Labels, getLabels())
+			pdb.Spec = policyv1.PodDisruptionBudgetSpec{
+				MaxUnavailable: utils.IntStrPtrFromInt(1),
+				Selector:       deployment.Spec.Selector,
+			}
+		case *policyv1beta1.PodDisruptionBudget:
+			pdb.Labels = utils.MergeStringMaps(pdb.Labels, getLabels())
+			pdb.Spec = policyv1beta1.PodDisruptionBudgetSpec{
+				MaxUnavailable: utils.IntStrPtrFromInt(1),
+				Selector:       deployment.Spec.Selector,
+			}
+		}
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if _, err := controllerutils.GetAndCreateOrMergePatch(ctx, m.client, vpa, func() error {
+		vpa.Spec.TargetRef = &autoscalingv1.CrossVersionObjectReference{
+			APIVersion: appsv1.SchemeGroupVersion.String(),
+			Kind:       "Deployment",
+			Name:       deployment.Name,
+		}
+		vpa.Spec.UpdatePolicy = &vpaautoscalingv1.PodUpdatePolicy{UpdateMode: &vpaUpdateMode}
+		vpa.Spec.ResourcePolicy = &vpaautoscalingv1.PodResourcePolicy{
+			ContainerPolicies: []vpaautoscalingv1.ContainerResourcePolicy{{
+				ContainerName:    containerName,
+				ControlledValues: &vpaControlledValues,
+				MinAllowed: corev1.ResourceList{
+					corev1.ResourceMemory: resource.MustParse("70Mi"),
+				},
+				MaxAllowed: corev1.ResourceList{
+					corev1.ResourceCPU:    resource.MustParse("2"),
+					corev1.ResourceMemory: resource.MustParse("5G"),
+				},
+			}},
+		}
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	data, err := m.computeShootResourcesData(shootAccessSecret.ServiceAccountName)
+	if err != nil {
+		return err
+	}
+
+	return managedresources.CreateForShoot(ctx, m.client, m.namespace, managedResourceTargetName, managedresources.LabelValueGardener, false, data)
+}
+
+func (m *machineControllerManager) Destroy(ctx context.Context) error {
+	return kubernetesutils.DeleteObjects(ctx, m.client,
+		m.emptyManagedResource(),
+		m.emptyManagedResourceSecret(),
+		m.emptyVPA(),
+		m.emptyPodDisruptionBudget(),
+		m.emptyDeployment(),
+		m.newShootAccessSecret().Secret,
+		m.emptyService(),
+		m.emptyClusterRoleBindingRuntime(),
+		m.emptyServiceAccount(),
+	)
+}
+
+var (
+	// DefaultInterval is the default interval.
+	DefaultInterval = 5 * time.Second
+	// DefaultTimeout is the default timeout.
+	DefaultTimeout = 5 * time.Minute
+)
+
+func (m *machineControllerManager) Wait(ctx context.Context) error {
+	timeoutCtx, cancel := context.WithTimeout(ctx, DefaultTimeout)
+	defer cancel()
+
+	deployment := m.emptyDeployment()
+	return retry.Until(timeoutCtx, DefaultInterval, health.IsDeploymentUpdated(m.client, deployment))
+}
+
+func (m *machineControllerManager) WaitCleanup(ctx context.Context) error {
+	timeoutCtx, cancel := context.WithTimeout(ctx, DefaultTimeout)
+	defer cancel()
+
+	return retry.Until(timeoutCtx, DefaultInterval, func(ctx context.Context) (done bool, err error) {
+		deploy := m.emptyDeployment()
+		err = m.client.Get(ctx, client.ObjectKeyFromObject(deploy), deploy)
+		switch {
+		case apierrors.IsNotFound(err):
+			return retry.Ok()
+		case err == nil:
+			return retry.MinorError(err)
+		default:
+			return retry.SevereError(err)
+		}
+	})
+}
+
+func (m *machineControllerManager) SetNamespaceUID(uid types.UID) { m.values.namespaceUID = uid }
+
+func (m *machineControllerManager) computeShootResourcesData(serviceAccountName string) (map[string][]byte, error) {
+	var (
+		registry = managedresources.NewRegistry(kubernetes.ShootScheme, kubernetes.ShootCodec, kubernetes.ShootSerializer)
+
+		clusterRole = &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "gardener.cloud:target:machine-controller-manager",
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"nodes", "nodes/status", "endpoints", "replicationcontrollers", "pods", "persistentvolumes", "persistentvolumeclaims"},
+					Verbs:     []string{"create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"},
+				},
+				{
+					APIGroups: []string{""},
+					Resources: []string{"pods/eviction"},
+					Verbs:     []string{"create"},
+				},
+				{
+					APIGroups: []string{"apps"},
+					Resources: []string{"replicasets", "statefulsets", "daemonsets", "deployments"},
+					Verbs:     []string{"create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"},
+				},
+				{
+					APIGroups: []string{"batch"},
+					Resources: []string{"jobs", "cronjobs"},
+					Verbs:     []string{"create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"},
+				},
+				{
+					APIGroups: []string{"policy"},
+					Resources: []string{"poddisruptionbudgets"},
+					Verbs:     []string{"list", "watch"},
+				},
+				{
+					APIGroups: []string{"storage.k8s.io"},
+					Resources: []string{"volumeattachments"},
+					Verbs:     []string{"get", "list", "watch"},
+				},
+			},
+		}
+
+		clusterRoleBinding = &rbacv1.ClusterRoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "gardener.cloud:target:machine-controller-manager",
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: rbacv1.GroupName,
+				Kind:     "ClusterRole",
+				Name:     clusterRole.Name,
+			},
+			Subjects: []rbacv1.Subject{{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      serviceAccountName,
+				Namespace: metav1.NamespaceSystem,
+			}},
+		}
+
+		role = &rbacv1.Role{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "gardener.cloud:target:machine-controller-manager",
+				Namespace: metav1.NamespaceSystem,
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"secrets"},
+					Verbs:     []string{"create", "delete", "get", "list"},
+				},
+			},
+		}
+
+		roleBinding = &rbacv1.RoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "gardener.cloud:target:machine-controller-manager",
+				Namespace: metav1.NamespaceSystem,
+			},
+			Subjects: []rbacv1.Subject{{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      serviceAccountName,
+				Namespace: metav1.NamespaceSystem,
+			}},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: rbacv1.GroupName,
+				Kind:     "Role",
+				Name:     role.Name,
+			},
+		}
+	)
+
+	return registry.AddAllAndSerialize(
+		clusterRole,
+		clusterRoleBinding,
+		role,
+		roleBinding,
+	)
+}
+
+func (m *machineControllerManager) emptyServiceAccount() *corev1.ServiceAccount {
+	return &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "machine-controller-manager", Namespace: m.namespace}}
+}
+
+func (m *machineControllerManager) emptyClusterRoleBindingRuntime() *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "machine-controller-manager-" + m.namespace}}
+}
+
+func (m *machineControllerManager) emptyService() *corev1.Service {
+	return &corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: m.namespace}}
+}
+
+func (m *machineControllerManager) newShootAccessSecret() *gardenerutils.ShootAccessSecret {
+	return gardenerutils.NewShootAccessSecret(v1beta1constants.DeploymentNameMachineControllerManager, m.namespace)
+}
+
+func (m *machineControllerManager) emptyDeployment() *appsv1.Deployment {
+	return &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: v1beta1constants.DeploymentNameMachineControllerManager, Namespace: m.namespace}}
+}
+
+func (m *machineControllerManager) emptyPodDisruptionBudget() client.Object {
+	objectMeta := metav1.ObjectMeta{Name: v1beta1constants.DeploymentNameMachineControllerManager, Namespace: m.namespace}
+
+	if m.runtimeVersionGreaterEqual121 {
+		return &policyv1.PodDisruptionBudget{ObjectMeta: objectMeta}
+	}
+	return &policyv1beta1.PodDisruptionBudget{ObjectMeta: objectMeta}
+}
+
+func (m *machineControllerManager) emptyVPA() *vpaautoscalingv1.VerticalPodAutoscaler {
+	return &vpaautoscalingv1.VerticalPodAutoscaler{ObjectMeta: metav1.ObjectMeta{Name: "machine-controller-manager-vpa", Namespace: m.namespace}}
+}
+
+func (m *machineControllerManager) emptyManagedResource() *resourcesv1alpha1.ManagedResource {
+	return &resourcesv1alpha1.ManagedResource{ObjectMeta: metav1.ObjectMeta{Name: managedResourceTargetName, Namespace: m.namespace}}
+}
+
+func (m *machineControllerManager) emptyManagedResourceSecret() *corev1.Secret {
+	return &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: managedresources.SecretName(managedResourceTargetName, true), Namespace: m.namespace}}
+}
+
+func getLabels() map[string]string {
+	return map[string]string{
+		v1beta1constants.LabelApp:  v1beta1constants.LabelKubernetes,
+		v1beta1constants.LabelRole: "machine-controller-manager",
+	}
+}
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager_suite_test.go b/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager_suite_test.go
new file mode 100644
index 00000000000..c0ad3488e2f
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager_suite_test.go
@@ -0,0 +1,34 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	secretsutils "github.com/gardener/gardener/pkg/utils/secrets"
+	"github.com/gardener/gardener/pkg/utils/test"
+)
+
+func TestMachineControllerManager(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Botanist Component MachineControllerManager Suite")
+}
+
+var _ = BeforeSuite(func() {
+	DeferCleanup(test.WithVar(&secretsutils.GenerateKey, secretsutils.FakeGenerateKey))
+})
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager_test.go b/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager_test.go
new file mode 100644
index 00000000000..7d144553721
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/machine_controller_manager_test.go
@@ -0,0 +1,641 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager_test
+
+import (
+	"context"
+	"time"
+
+	"github.com/Masterminds/semver"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	appsv1 "k8s.io/api/apps/v1"
+	autoscalingv1 "k8s.io/api/autoscaling/v1"
+	corev1 "k8s.io/api/core/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
+	"github.com/gardener/gardener/pkg/client/kubernetes"
+	. "github.com/gardener/gardener/pkg/operation/botanist/component/machinecontrollermanager"
+	"github.com/gardener/gardener/pkg/utils"
+	gardenerutils "github.com/gardener/gardener/pkg/utils/gardener"
+	secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager"
+	fakesecretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager/fake"
+	"github.com/gardener/gardener/pkg/utils/test"
+	. "github.com/gardener/gardener/pkg/utils/test/matchers"
+)
+
+var _ = Describe("MachineControllerManager", func() {
+	var (
+		ctx       = context.TODO()
+		namespace = "shoot--foo--bar"
+
+		image                    = "mcm-image:tag"
+		runtimeKubernetesVersion = semver.MustParse("1.26.1")
+		namespaceUID             = types.UID("uid")
+		replicas                 = int32(1)
+
+		fakeClient client.Client
+		sm         secretsmanager.Interface
+		values     Values
+		mcm        Interface
+
+		serviceAccount        *corev1.ServiceAccount
+		clusterRoleBinding    *rbacv1.ClusterRoleBinding
+		service               *corev1.Service
+		shootAccessSecret     *corev1.Secret
+		deployment            *appsv1.Deployment
+		podDisruptionBudget   *policyv1.PodDisruptionBudget
+		vpa                   *vpaautoscalingv1.VerticalPodAutoscaler
+		managedResourceSecret *corev1.Secret
+		managedResource       *resourcesv1alpha1.ManagedResource
+	)
+
+	BeforeEach(func() {
+		fakeClient = fakeclient.NewClientBuilder().WithScheme(kubernetes.SeedScheme).Build()
+		sm = fakesecretsmanager.New(fakeClient, namespace)
+		values = Values{
+			Image:                    image,
+			Replicas:                 replicas,
+			RuntimeKubernetesVersion: runtimeKubernetesVersion,
+		}
+		mcm = New(fakeClient, namespace, sm, values)
+		mcm.SetNamespaceUID(namespaceUID)
+
+		By("Create secrets managed outside of this package for whose secretsmanager.Get() will be called")
+		Expect(fakeClient.Create(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "generic-token-kubeconfig", Namespace: namespace}})).To(Succeed())
+
+		serviceAccount = &corev1.ServiceAccount{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "ServiceAccount",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "machine-controller-manager",
+				Namespace: namespace,
+			},
+			AutomountServiceAccountToken: pointer.Bool(false),
+		}
+
+		clusterRoleBinding = &rbacv1.ClusterRoleBinding{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "rbac.authorization.k8s.io/v1",
+				Kind:       "ClusterRoleBinding",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "machine-controller-manager-" + namespace,
+				OwnerReferences: []metav1.OwnerReference{{
+					APIVersion:         "v1",
+					Kind:               "Namespace",
+					Name:               namespace,
+					UID:                namespaceUID,
+					Controller:         pointer.Bool(true),
+					BlockOwnerDeletion: pointer.Bool(true),
+				}},
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "ClusterRole",
+				Name:     "system:machine-controller-manager-runtime",
+			},
+			Subjects: []rbacv1.Subject{{
+				Kind:      "ServiceAccount",
+				Name:      "machine-controller-manager",
+				Namespace: namespace,
+			}},
+		}
+
+		service = &corev1.Service{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Service",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "machine-controller-manager",
+				Namespace: namespace,
+				Labels: map[string]string{
+					"app":  "kubernetes",
+					"role": "machine-controller-manager",
+				},
+				Annotations: map[string]string{
+					"networking.resources.gardener.cloud/from-policy-allowed-ports":      `[{"protocol":"TCP","port":10258}]`,
+					"networking.resources.gardener.cloud/from-policy-pod-label-selector": "all-scrape-targets",
+				},
+			},
+			Spec: corev1.ServiceSpec{
+				Type:      corev1.ServiceTypeClusterIP,
+				ClusterIP: corev1.ClusterIPNone,
+				Ports: []corev1.ServicePort{{
+					Name:     "metrics",
+					Port:     10258,
+					Protocol: corev1.ProtocolTCP,
+				}},
+				Selector: map[string]string{
+					"app":  "kubernetes",
+					"role": "machine-controller-manager",
+				},
+			},
+		}
+
+		shootAccessSecret = &corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Secret",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "shoot-access-machine-controller-manager",
+				Namespace: namespace,
+				Labels: map[string]string{
+					"resources.gardener.cloud/purpose": "token-requestor",
+				},
+				Annotations: map[string]string{
+					"serviceaccount.resources.gardener.cloud/name":      "machine-controller-manager",
+					"serviceaccount.resources.gardener.cloud/namespace": "kube-system",
+				},
+			},
+			Type: corev1.SecretTypeOpaque,
+		}
+
+		deployment = &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "apps/v1",
+				Kind:       "Deployment",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "machine-controller-manager",
+				Namespace: namespace,
+				Labels: map[string]string{
+					"app":  "kubernetes",
+					"role": "machine-controller-manager",
+					"high-availability-config.resources.gardener.cloud/type": "controller",
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Replicas:             &replicas,
+				RevisionHistoryLimit: pointer.Int32(2),
+				Selector: &metav1.LabelSelector{MatchLabels: map[string]string{
+					"app":  "kubernetes",
+					"role": "machine-controller-manager",
+				}},
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Labels: map[string]string{
+							"app":                                "kubernetes",
+							"role":                               "machine-controller-manager",
+							"gardener.cloud/role":                "controlplane",
+							"maintenance.gardener.cloud/restart": "true",
+							"networking.gardener.cloud/to-dns":   "allowed",
+							"networking.gardener.cloud/to-public-networks":                  "allowed",
+							"networking.gardener.cloud/to-private-networks":                 "allowed",
+							"networking.gardener.cloud/to-runtime-apiserver":                "allowed",
+							"networking.resources.gardener.cloud/to-kube-apiserver-tcp-443": "allowed",
+						},
+					},
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{{
+							Name:            "machine-controller-manager",
+							Image:           image,
+							ImagePullPolicy: corev1.PullIfNotPresent,
+							Command: []string{
+								"./machine-controller-manager",
+								"--control-kubeconfig=inClusterConfig",
+								"--delete-migrated-machine-class=true",
+								"--machine-safety-apiserver-statuscheck-timeout=30s",
+								"--machine-safety-apiserver-statuscheck-period=1m",
+								"--machine-safety-orphan-vms-period=30m",
+								"--machine-safety-overshooting-period=1m",
+								"--namespace=" + namespace,
+								"--port=10258",
+								"--safety-up=2",
+								"--safety-down=1",
+								"--target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig",
+								"--v=3",
+							},
+							LivenessProbe: &corev1.Probe{
+								ProbeHandler: corev1.ProbeHandler{
+									HTTPGet: &corev1.HTTPGetAction{
+										Path:   "/healthz",
+										Port:   intstr.FromInt(10258),
+										Scheme: corev1.URISchemeHTTP,
+									},
+								},
+								FailureThreshold:    3,
+								InitialDelaySeconds: 30,
+								PeriodSeconds:       10,
+								SuccessThreshold:    1,
+								TimeoutSeconds:      5,
+							},
+							Ports: []corev1.ContainerPort{{
+								Name:          "metrics",
+								ContainerPort: 10258,
+								Protocol:      corev1.ProtocolTCP,
+							}},
+							Resources: corev1.ResourceRequirements{
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("31m"),
+									corev1.ResourceMemory: resource.MustParse("70Mi"),
+								},
+								Limits: corev1.ResourceList{
+									corev1.ResourceMemory: resource.MustParse("1Gi"),
+								},
+							},
+						}},
+						PriorityClassName:             "gardener-system-300",
+						ServiceAccountName:            "machine-controller-manager",
+						TerminationGracePeriodSeconds: pointer.Int64(5),
+					},
+				},
+			},
+		}
+		Expect(gardenerutils.InjectGenericKubeconfig(deployment, "generic-token-kubeconfig", shootAccessSecret.Name)).To(Succeed())
+
+		podDisruptionBudget = &policyv1.PodDisruptionBudget{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "policy/v1",
+				Kind:       "PodDisruptionBudget",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "machine-controller-manager",
+				Namespace: namespace,
+				Labels: map[string]string{
+					"app":  "kubernetes",
+					"role": "machine-controller-manager",
+				},
+			},
+			Spec: policyv1.PodDisruptionBudgetSpec{
+				MaxUnavailable: utils.IntStrPtrFromInt(1),
+				Selector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"app":  "kubernetes",
+						"role": "machine-controller-manager",
+					},
+				},
+			},
+		}
+
+		vpaUpdateMode := vpaautoscalingv1.UpdateModeAuto
+		vpaControlledValues := vpaautoscalingv1.ContainerControlledValuesRequestsOnly
+		vpa = &vpaautoscalingv1.VerticalPodAutoscaler{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "autoscaling.k8s.io/v1",
+				Kind:       "VerticalPodAutoscaler",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "machine-controller-manager-vpa",
+				Namespace: namespace,
+			},
+			Spec: vpaautoscalingv1.VerticalPodAutoscalerSpec{
+				TargetRef: &autoscalingv1.CrossVersionObjectReference{
+					APIVersion: "apps/v1",
+					Kind:       "Deployment",
+					Name:       "machine-controller-manager",
+				},
+				UpdatePolicy: &vpaautoscalingv1.PodUpdatePolicy{
+					UpdateMode: &vpaUpdateMode,
+				},
+				ResourcePolicy: &vpaautoscalingv1.PodResourcePolicy{
+					ContainerPolicies: []vpaautoscalingv1.ContainerResourcePolicy{{
+						ContainerName:    "machine-controller-manager",
+						ControlledValues: &vpaControlledValues,
+						MinAllowed: corev1.ResourceList{
+							corev1.ResourceMemory: resource.MustParse("70Mi"),
+						},
+						MaxAllowed: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("2"),
+							corev1.ResourceMemory: resource.MustParse("5G"),
+						},
+					}},
+				},
+			},
+		}
+
+		clusterRoleYAML := `apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: gardener.cloud:target:machine-controller-manager
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - nodes/status
+  - endpoints
+  - replicationcontrollers
+  - pods
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  - statefulsets
+  - daemonsets
+  - deployments
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+`
+
+		clusterRoleBindingYAML := `apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: gardener.cloud:target:machine-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gardener.cloud:target:machine-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: machine-controller-manager
+  namespace: kube-system
+`
+
+		roleYAML := `apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: gardener.cloud:target:machine-controller-manager
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+`
+
+		roleBindingYAML := `apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: gardener.cloud:target:machine-controller-manager
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gardener.cloud:target:machine-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: machine-controller-manager
+  namespace: kube-system
+`
+
+		managedResourceSecret = &corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Secret",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "managedresource-shoot-core-machine-controller-manager",
+				Namespace: namespace,
+			},
+			Type: corev1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				"clusterrole____gardener.cloud_target_machine-controller-manager.yaml":            []byte(clusterRoleYAML),
+				"clusterrolebinding____gardener.cloud_target_machine-controller-manager.yaml":     []byte(clusterRoleBindingYAML),
+				"role__kube-system__gardener.cloud_target_machine-controller-manager.yaml":        []byte(roleYAML),
+				"rolebinding__kube-system__gardener.cloud_target_machine-controller-manager.yaml": []byte(roleBindingYAML),
+			},
+		}
+		managedResource = &resourcesv1alpha1.ManagedResource{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "resources.gardener.cloud/v1alpha1",
+				Kind:       "ManagedResource",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "shoot-core-machine-controller-manager",
+				Namespace: namespace,
+				Labels:    map[string]string{"origin": "gardener"},
+			},
+			Spec: resourcesv1alpha1.ManagedResourceSpec{
+				SecretRefs:   []corev1.LocalObjectReference{{Name: managedResourceSecret.Name}},
+				InjectLabels: map[string]string{"shoot.gardener.cloud/no-cleanup": "true"},
+				KeepObjects:  pointer.Bool(false),
+			},
+		}
+	})
+
+	Describe("#Deploy", func() {
+		It("should successfully deploy all resources", func() {
+			Expect(mcm.Deploy(ctx)).To(Succeed())
+
+			actualServiceAccount := &corev1.ServiceAccount{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(serviceAccount), actualServiceAccount)).To(Succeed())
+			serviceAccount.ResourceVersion = "1"
+			Expect(actualServiceAccount).To(Equal(serviceAccount))
+
+			actualClusterRoleBinding := &rbacv1.ClusterRoleBinding{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), actualClusterRoleBinding)).To(Succeed())
+			clusterRoleBinding.ResourceVersion = "1"
+			Expect(actualClusterRoleBinding).To(Equal(clusterRoleBinding))
+
+			actualService := &corev1.Service{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(service), actualService)).To(Succeed())
+			service.ResourceVersion = "1"
+			Expect(actualService).To(Equal(service))
+
+			actualShootAccessSecret := &corev1.Secret{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(shootAccessSecret), actualShootAccessSecret)).To(Succeed())
+			shootAccessSecret.ResourceVersion = "1"
+			Expect(actualShootAccessSecret).To(Equal(shootAccessSecret))
+
+			actualDeployment := &appsv1.Deployment{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(deployment), actualDeployment)).To(Succeed())
+			deployment.ResourceVersion = "1"
+			Expect(actualDeployment).To(Equal(deployment))
+
+			actualPodDisruptionBudget := &policyv1.PodDisruptionBudget{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(podDisruptionBudget), actualPodDisruptionBudget)).To(Succeed())
+			podDisruptionBudget.ResourceVersion = "1"
+			Expect(actualPodDisruptionBudget).To(Equal(podDisruptionBudget))
+
+			actualVPA := &vpaautoscalingv1.VerticalPodAutoscaler{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(vpa), actualVPA)).To(Succeed())
+			vpa.ResourceVersion = "1"
+			Expect(actualVPA).To(Equal(vpa))
+
+			actualManagedResourceSecret := &corev1.Secret{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResourceSecret), actualManagedResourceSecret)).To(Succeed())
+			managedResourceSecret.ResourceVersion = "1"
+			Expect(actualManagedResourceSecret).To(Equal(managedResourceSecret))
+
+			actualManagedResource := &resourcesv1alpha1.ManagedResource{}
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResource), actualManagedResource)).To(Succeed())
+			managedResource.ResourceVersion = "1"
+			Expect(actualManagedResource).To(Equal(managedResource))
+		})
+	})
+
+	Describe("#Destroy", func() {
+		It("should successfully destroy all resources", func() {
+			Expect(fakeClient.Create(ctx, serviceAccount)).To(Succeed())
+			Expect(fakeClient.Create(ctx, clusterRoleBinding)).To(Succeed())
+			Expect(fakeClient.Create(ctx, service)).To(Succeed())
+			Expect(fakeClient.Create(ctx, shootAccessSecret)).To(Succeed())
+			Expect(fakeClient.Create(ctx, deployment)).To(Succeed())
+			Expect(fakeClient.Create(ctx, podDisruptionBudget)).To(Succeed())
+			Expect(fakeClient.Create(ctx, vpa)).To(Succeed())
+			Expect(fakeClient.Create(ctx, managedResourceSecret)).To(Succeed())
+			Expect(fakeClient.Create(ctx, managedResource)).To(Succeed())
+
+			Expect(mcm.Destroy(ctx)).To(Succeed())
+
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResource), &resourcesv1alpha1.ManagedResource{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(managedResourceSecret), &corev1.Secret{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(vpa), &vpaautoscalingv1.VerticalPodAutoscaler{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(podDisruptionBudget), &policyv1.PodDisruptionBudget{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(deployment), &appsv1.Deployment{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(shootAccessSecret), &corev1.Secret{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(service), &corev1.Service{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), &rbacv1.ClusterRoleBinding{})).To(BeNotFoundError())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(serviceAccount), &corev1.ServiceAccount{})).To(BeNotFoundError())
+		})
+	})
+
+	Describe("#Wait", func() {
+		BeforeEach(func() {
+			DeferCleanup(test.WithVars(
+				&DefaultInterval, time.Millisecond,
+				&DefaultTimeout, 100*time.Millisecond,
+			))
+		})
+
+		It("should successfully wait for the deployment to be updated", func() {
+			deploy := deployment.DeepCopy()
+
+			Expect(fakeClient.Create(ctx, deploy)).To(Succeed())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(deploy), deploy)).To(Succeed())
+
+			Expect(fakeClient.Create(ctx, &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "pod",
+					Namespace: deployment.Namespace,
+					Labels:    deployment.Spec.Selector.MatchLabels,
+				},
+			})).To(Succeed())
+
+			timer := time.AfterFunc(10*time.Millisecond, func() {
+				deploy.Generation = 24
+				deploy.Spec.Replicas = pointer.Int32(1)
+				deploy.Status.Conditions = []appsv1.DeploymentCondition{
+					{Type: appsv1.DeploymentProgressing, Status: "True", Reason: "NewReplicaSetAvailable"},
+					{Type: appsv1.DeploymentAvailable, Status: "True"},
+				}
+				deploy.Status.ObservedGeneration = deploy.Generation
+				deploy.Status.Replicas = *deploy.Spec.Replicas
+				deploy.Status.UpdatedReplicas = *deploy.Spec.Replicas
+				deploy.Status.AvailableReplicas = *deploy.Spec.Replicas
+				Expect(fakeClient.Update(ctx, deploy)).To(Succeed())
+			})
+			defer timer.Stop()
+
+			Expect(mcm.Wait(ctx)).To(Succeed())
+		})
+	})
+
+	Describe("#WaitCleanup", func() {
+		BeforeEach(func() {
+			DeferCleanup(test.WithVars(
+				&DefaultInterval, time.Millisecond,
+				&DefaultTimeout, 100*time.Millisecond,
+			))
+		})
+
+		It("should time out while waiting for the deployment to be deleted", func() {
+			Expect(fakeClient.Create(ctx, deployment)).To(Succeed())
+			Expect(mcm.WaitCleanup(ctx)).To(MatchError(ContainSubstring("context deadline exceeded")))
+		})
+
+		It("should successfully wait for the deployment to be deleted", func() {
+			deploy := deployment.DeepCopy()
+
+			Expect(fakeClient.Create(ctx, deploy)).To(Succeed())
+			Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(deploy), deploy)).To(Succeed())
+
+			timer := time.AfterFunc(10*time.Millisecond, func() {
+				Expect(fakeClient.Delete(ctx, deploy)).To(Succeed())
+				Expect(fakeClient.Get(ctx, client.ObjectKeyFromObject(deploy), deploy)).To(BeNotFoundError())
+			})
+			defer timer.Stop()
+
+			Expect(mcm.WaitCleanup(ctx)).To(Succeed())
+		})
+	})
+})
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/mock/doc.go b/pkg/operation/botanist/component/machinecontrollermanager/mock/doc.go
new file mode 100644
index 00000000000..5560ce11e26
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/mock/doc.go
@@ -0,0 +1,17 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:generate mockgen -package mock -destination=mocks.go github.com/gardener/gardener/pkg/operation/botanist/component/machinecontrollermanager Interface
+
+package mock
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/mock/mocks.go b/pkg/operation/botanist/component/machinecontrollermanager/mock/mocks.go
new file mode 100644
index 00000000000..4289882ba62
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/mock/mocks.go
@@ -0,0 +1,134 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/gardener/gardener/pkg/operation/botanist/component/machinecontrollermanager (interfaces: Interface)
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	types "k8s.io/apimachinery/pkg/types"
+)
+
+// MockInterface is a mock of Interface interface.
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance.
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// AlertingRules mocks base method.
+func (m *MockInterface) AlertingRules() (map[string]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AlertingRules")
+	ret0, _ := ret[0].(map[string]string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AlertingRules indicates an expected call of AlertingRules.
+func (mr *MockInterfaceMockRecorder) AlertingRules() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AlertingRules", reflect.TypeOf((*MockInterface)(nil).AlertingRules))
+}
+
+// Deploy mocks base method.
+func (m *MockInterface) Deploy(arg0 context.Context) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Deploy", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Deploy indicates an expected call of Deploy.
+func (mr *MockInterfaceMockRecorder) Deploy(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Deploy", reflect.TypeOf((*MockInterface)(nil).Deploy), arg0)
+}
+
+// Destroy mocks base method.
+func (m *MockInterface) Destroy(arg0 context.Context) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Destroy", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Destroy indicates an expected call of Destroy.
+func (mr *MockInterfaceMockRecorder) Destroy(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Destroy", reflect.TypeOf((*MockInterface)(nil).Destroy), arg0)
+}
+
+// ScrapeConfigs mocks base method.
+func (m *MockInterface) ScrapeConfigs() ([]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ScrapeConfigs")
+	ret0, _ := ret[0].([]string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ScrapeConfigs indicates an expected call of ScrapeConfigs.
+func (mr *MockInterfaceMockRecorder) ScrapeConfigs() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ScrapeConfigs", reflect.TypeOf((*MockInterface)(nil).ScrapeConfigs))
+}
+
+// SetNamespaceUID mocks base method.
+func (m *MockInterface) SetNamespaceUID(arg0 types.UID) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNamespaceUID", arg0)
+}
+
+// SetNamespaceUID indicates an expected call of SetNamespaceUID.
+func (mr *MockInterfaceMockRecorder) SetNamespaceUID(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNamespaceUID", reflect.TypeOf((*MockInterface)(nil).SetNamespaceUID), arg0)
+}
+
+// Wait mocks base method.
+func (m *MockInterface) Wait(arg0 context.Context) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Wait", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Wait indicates an expected call of Wait.
+func (mr *MockInterfaceMockRecorder) Wait(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Wait", reflect.TypeOf((*MockInterface)(nil).Wait), arg0)
+}
+
+// WaitCleanup mocks base method.
+func (m *MockInterface) WaitCleanup(arg0 context.Context) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WaitCleanup", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WaitCleanup indicates an expected call of WaitCleanup.
+func (mr *MockInterfaceMockRecorder) WaitCleanup(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WaitCleanup", reflect.TypeOf((*MockInterface)(nil).WaitCleanup), arg0)
+}
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/monitoring.go b/pkg/operation/botanist/component/machinecontrollermanager/monitoring.go
new file mode 100644
index 00000000000..30a5e337403
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/monitoring.go
@@ -0,0 +1,144 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager
+
+import (
+	"bytes"
+	"strings"
+	"text/template"
+
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+
+	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
+)
+
+const (
+	monitoringPrometheusJobName = "machine-controller-manager"
+
+	monitoringMetricMCMCloudAPIRequestsFailedTotal             = "mcm_cloud_api_requests_failed_total"
+	monitoringMetricMCMCloudAPIRequestsTotal                   = "mcm_cloud_api_requests_total"
+	monitoringMetricMCMMachineControllerFrozen                 = "mcm_machine_controller_frozen"
+	monitoringMetricMCMMachineCurrentStatusPhase               = "mcm_machine_current_status_phase"
+	monitoringMetricMCMMachineDeploymentFailedMachines         = "mcm_machine_deployment_failed_machines"
+	monitoringMetricMCMMachineItemsTotal                       = "mcm_machine_items_total"
+	monitoringMetricMCMMachineSetFailedMachines                = "mcm_machine_set_failed_machines"
+	monitoringMetricMCMMachineDeploymentItemsTotal             = "mcm_machine_deployment_items_total"
+	monitoringMetricMCMMachineSetItemsTotal                    = "mcm_machine_set_items_total"
+	monitoringMetricMCMScrapeFailureTotal                      = "mcm_scrape_failure_total"
+	monitoringMetricMCMWorkqueueAddsTotal                      = "mcm_workqueue_adds_total"
+	monitoringMetricMCMWorkqueueDepth                          = "mcm_workqueue_depth"
+	monitoringMetricMCMWorkqueueQueueDurationSecondsBucket     = "mcm_workqueue_queue_duration_seconds_bucket"
+	monitoringMetricMCMWorkqueueQueueDurationSecondsSum        = "mcm_workqueue_queue_duration_seconds_sum"
+	monitoringMetricMCMWorkqueueQueueDurationSecondsCount      = "mcm_workqueue_queue_duration_seconds_count"
+	monitoringMetricMCMWorkqueueWorkDurationSecondsBucket      = "mcm_workqueue_work_duration_seconds_bucket"
+	monitoringMetricMCMWorkqueueWorkDurationSecondsSum         = "mcm_workqueue_work_duration_seconds_sum"
+	monitoringMetricMCMWorkqueueWorkDurationSecondsCount       = "mcm_workqueue_work_duration_seconds_count"
+	monitoringMetricMCMWorkqueueUnfinishedWorkSeconds          = "mcm_workqueue_unfinished_work_seconds"
+	monitoringMetricMCMWorkqueueLongestRunningProcessorSeconds = "mcm_workqueue_longest_running_processor_seconds"
+	monitoringMetricMCMWorkqueueRetriesTotal                   = "mcm_workqueue_retries_total"
+	monitoringMetricProcessMaxFds                              = "process_max_fds"
+	monitoringMetricProcessOpenFds                             = "process_open_fds"
+
+	monitoringAlertingRules = `groups:
+- name: machine-controller-manager.rules
+  rules:
+  - alert: MachineControllerManagerDown
+    expr: absent(up{job="` + monitoringPrometheusJobName + `"} == 1)
+    for: 15m
+    labels:
+      service: ` + v1beta1constants.DeploymentNameMachineControllerManager + `
+      severity: critical
+      type: seed
+      visibility: operator
+    annotations:
+      description: There are no running machine controller manager instances. No shoot nodes can be created/maintained.
+      summary: Machine controller manager is down.
+`
+)
+
+var (
+	monitoringAllowedMetrics = []string{
+		monitoringMetricMCMCloudAPIRequestsFailedTotal,
+		monitoringMetricMCMCloudAPIRequestsTotal,
+		monitoringMetricMCMMachineControllerFrozen,
+		monitoringMetricMCMMachineCurrentStatusPhase,
+		monitoringMetricMCMMachineDeploymentFailedMachines,
+		monitoringMetricMCMMachineItemsTotal,
+		monitoringMetricMCMMachineSetFailedMachines,
+		monitoringMetricMCMMachineDeploymentItemsTotal,
+		monitoringMetricMCMMachineSetItemsTotal,
+		monitoringMetricMCMScrapeFailureTotal,
+		monitoringMetricMCMWorkqueueAddsTotal,
+		monitoringMetricMCMWorkqueueDepth,
+		monitoringMetricMCMWorkqueueQueueDurationSecondsBucket,
+		monitoringMetricMCMWorkqueueQueueDurationSecondsSum,
+		monitoringMetricMCMWorkqueueQueueDurationSecondsCount,
+		monitoringMetricMCMWorkqueueWorkDurationSecondsBucket,
+		monitoringMetricMCMWorkqueueWorkDurationSecondsSum,
+		monitoringMetricMCMWorkqueueWorkDurationSecondsCount,
+		monitoringMetricMCMWorkqueueUnfinishedWorkSeconds,
+		monitoringMetricMCMWorkqueueLongestRunningProcessorSeconds,
+		monitoringMetricMCMWorkqueueRetriesTotal,
+		monitoringMetricProcessMaxFds,
+		monitoringMetricProcessOpenFds,
+	}
+
+	monitoringScrapeConfigTmpl = `job_name: ` + monitoringPrometheusJobName + `
+honor_labels: false
+kubernetes_sd_configs:
+- role: endpoints
+  namespaces:
+    names: [{{ .namespace }}]
+relabel_configs:
+- source_labels:
+  - __meta_kubernetes_service_name
+  - __meta_kubernetes_endpoint_port_name
+  action: keep
+  regex: ` + serviceName + `;` + portNameMetrics + `
+- action: labelmap
+  regex: __meta_kubernetes_service_label_(.+)
+- source_labels: [ __meta_kubernetes_pod_name ]
+  target_label: pod
+metric_relabel_configs:
+- source_labels: [ __name__ ]
+  action: keep
+  regex: ^(` + strings.Join(monitoringAllowedMetrics, "|") + `)$
+`
+
+	monitoringScrapeConfigTemplate *template.Template
+)
+
+func init() {
+	var err error
+
+	monitoringScrapeConfigTemplate, err = template.New("monitoring-scrape-config").Parse(monitoringScrapeConfigTmpl)
+	utilruntime.Must(err)
+}
+
+// ScrapeConfigs returns the scrape configurations for Prometheus.
+func (m *machineControllerManager) ScrapeConfigs() ([]string, error) {
+	var scrapeConfig bytes.Buffer
+
+	if err := monitoringScrapeConfigTemplate.Execute(&scrapeConfig, map[string]interface{}{"namespace": m.namespace}); err != nil {
+		return nil, err
+	}
+
+	return []string{scrapeConfig.String()}, nil
+}
+
+// AlertingRules returns the alerting rules for AlertManager.
+func (m *machineControllerManager) AlertingRules() (map[string]string, error) {
+	return map[string]string{"machine-controller-manager.rules.yaml": monitoringAlertingRules}, nil
+}
diff --git a/pkg/operation/botanist/component/machinecontrollermanager/monitoring_test.go b/pkg/operation/botanist/component/machinecontrollermanager/monitoring_test.go
new file mode 100644
index 00000000000..21c3c1c5fd0
--- /dev/null
+++ b/pkg/operation/botanist/component/machinecontrollermanager/monitoring_test.go
@@ -0,0 +1,84 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package machinecontrollermanager_test
+
+import (
+	"github.com/Masterminds/semver"
+	. "github.com/onsi/ginkgo/v2"
+
+	"github.com/gardener/gardener/pkg/operation/botanist/component"
+	. "github.com/gardener/gardener/pkg/operation/botanist/component/machinecontrollermanager"
+	"github.com/gardener/gardener/pkg/operation/botanist/component/test"
+)
+
+var _ = Describe("Monitoring", func() {
+	var mcm component.MonitoringComponent
+
+	BeforeEach(func() {
+		mcm = New(nil, "some-namespace", nil, Values{RuntimeKubernetesVersion: semver.MustParse("1.26.1")})
+	})
+
+	Describe("#ScrapeConfig", func() {
+		It("should successfully test the scrape configuration", func() {
+			test.ScrapeConfigs(mcm, expectedScrapeConfig)
+		})
+	})
+
+	Describe("#AlertingRules", func() {
+		It("should successfully test the alerting rules", func() {
+			test.AlertingRules(mcm, map[string]string{"machine-controller-manager.rules.yaml": expectedAlertingRule})
+		})
+	})
+})
+
+const (
+	expectedScrapeConfig = `job_name: machine-controller-manager
+honor_labels: false
+kubernetes_sd_configs:
+- role: endpoints
+  namespaces:
+    names: [some-namespace]
+relabel_configs:
+- source_labels:
+  - __meta_kubernetes_service_name
+  - __meta_kubernetes_endpoint_port_name
+  action: keep
+  regex: machine-controller-manager;metrics
+- action: labelmap
+  regex: __meta_kubernetes_service_label_(.+)
+- source_labels: [ __meta_kubernetes_pod_name ]
+  target_label: pod
+metric_relabel_configs:
+- source_labels: [ __name__ ]
+  action: keep
+  regex: ^(mcm_cloud_api_requests_failed_total|mcm_cloud_api_requests_total|mcm_machine_controller_frozen|mcm_machine_current_status_phase|mcm_machine_deployment_failed_machines|mcm_machine_items_total|mcm_machine_set_failed_machines|mcm_machine_deployment_items_total|mcm_machine_set_items_total|mcm_scrape_failure_total|mcm_workqueue_adds_total|mcm_workqueue_depth|mcm_workqueue_queue_duration_seconds_bucket|mcm_workqueue_queue_duration_seconds_sum|mcm_workqueue_queue_duration_seconds_count|mcm_workqueue_work_duration_seconds_bucket|mcm_workqueue_work_duration_seconds_sum|mcm_workqueue_work_duration_seconds_count|mcm_workqueue_unfinished_work_seconds|mcm_workqueue_longest_running_processor_seconds|mcm_workqueue_retries_total|process_max_fds|process_open_fds)$
+`
+
+	expectedAlertingRule = `groups:
+- name: machine-controller-manager.rules
+  rules:
+  - alert: MachineControllerManagerDown
+    expr: absent(up{job="machine-controller-manager"} == 1)
+    for: 15m
+    labels:
+      service: machine-controller-manager
+      severity: critical
+      type: seed
+      visibility: operator
+    annotations:
+      description: There are no running machine controller manager instances. No shoot nodes can be created/maintained.
+      summary: Machine controller manager is down.
+`
+)