diff --git a/pkg/apis/aws/helper/scheme.go b/pkg/apis/aws/helper/scheme.go
index 955362581..f5983a758 100644
--- a/pkg/apis/aws/helper/scheme.go
+++ b/pkg/apis/aws/helper/scheme.go
@@ -28,6 +28,7 @@ var (
 func init() {
 	Scheme = runtime.NewScheme()
 	utilruntime.Must(install.AddToScheme(Scheme))
+	utilruntime.Must(extensionsv1alpha1.AddToScheme(Scheme))
 
 	decoder = serializer.NewCodecFactory(Scheme, serializer.EnableStrict).UniversalDecoder()
 }
@@ -44,6 +45,18 @@ func CloudProfileConfigFromCluster(cluster *controller.Cluster) (*api.CloudProfi
 	return cloudProfileConfig, nil
 }
 
+// InfrastructureFromCluster decodes the infrastructure for a shoot cluster
+func InfrastructureFromCluster(cluster *controller.Cluster) (*extensionsv1alpha1.Infrastructure, error) {
+	var infra *extensionsv1alpha1.Infrastructure
+	if cluster != nil && cluster.Shoot != nil && cluster.Shoot.Spec.Provider.InfrastructureConfig != nil && cluster.Shoot.Spec.Provider.InfrastructureConfig.Raw != nil {
+		infra = &extensionsv1alpha1.Infrastructure{}
+		if _, _, err := decoder.Decode(cluster.Shoot.Spec.Provider.InfrastructureConfig.Raw, nil, infra); err != nil {
+			return nil, fmt.Errorf("could not decode infrastructure of shoot '%s': %w", k8sclient.ObjectKeyFromObject(cluster.Shoot), err)
+		}
+	}
+	return infra, nil
+}
+
 // InfrastructureConfigFromInfrastructure extracts the InfrastructureConfig from the
 // ProviderConfig section of the given Infrastructure.
 func InfrastructureConfigFromInfrastructure(infra *extensionsv1alpha1.Infrastructure) (*api.InfrastructureConfig, error) {
diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go
index ad7d9fc7e..2c45e0bc5 100644
--- a/pkg/webhook/controlplane/ensurer.go
+++ b/pkg/webhook/controlplane/ensurer.go
@@ -362,11 +362,8 @@ func (e *ensurer) EnsureKubeletServiceUnitOptions(ctx context.Context, gctx gcon
 		}
 
 		if k8sGreaterEqual127 {
-			infra := &extensionsv1alpha1.Infrastructure{}
-			if err := e.client.Get(ctx, client.ObjectKey{
-				Namespace: cluster.ObjectMeta.Name,
-				Name:      cluster.Shoot.Name,
-			}, infra); err != nil {
+			infra, err := helper.InfrastructureFromCluster(cluster)
+			if err != nil {
 				return nil, err
 			}
 			infraConfig, err := helper.InfrastructureConfigFromInfrastructure(infra)
@@ -590,14 +587,10 @@ func (e *ensurer) EnsureAdditionalFiles(ctx context.Context, gctx gcontext.Garde
 		return nil
 	}
 
-	infra := &extensionsv1alpha1.Infrastructure{}
-	if err := e.client.Get(ctx, client.ObjectKey{
-		Namespace: cluster.ObjectMeta.Name,
-		Name:      cluster.Shoot.Name,
-	}, infra); err != nil {
+	infra, err := helper.InfrastructureFromCluster(cluster)
+	if err != nil {
 		return err
 	}
-
 	infraConfig, err := helper.InfrastructureConfigFromInfrastructure(infra)
 	if err != nil {
 		return err
diff --git a/pkg/webhook/controlplane/ensurer_test.go b/pkg/webhook/controlplane/ensurer_test.go
index 6ef10c5df..b24ae4236 100644
--- a/pkg/webhook/controlplane/ensurer_test.go
+++ b/pkg/webhook/controlplane/ensurer_test.go
@@ -6,6 +6,7 @@ package controlplane
 
 import (
 	"context"
+	"encoding/json"
 	"testing"
 
 	"github.com/Masterminds/semver/v3"
@@ -33,7 +34,6 @@ import (
 	vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
 	kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
 	"k8s.io/utils/ptr"
-	k8sclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/gardener/gardener-extension-provider-aws/imagevector"
 	"github.com/gardener/gardener-extension-provider-aws/pkg/apis/aws/v1alpha1"
@@ -124,6 +124,48 @@ var _ = Describe("Ensurer", func() {
 				},
 			},
 		}
+
+	})
+
+	JustBeforeEach(func() {
+		eContextK8s126 = gcontext.NewInternalGardenContext(
+			&extensionscontroller.Cluster{
+				Shoot: &gardencorev1beta1.Shoot{
+					Spec: gardencorev1beta1.ShootSpec{
+						Kubernetes: gardencorev1beta1.Kubernetes{
+							Version: "1.26.1",
+						},
+						Provider: gardencorev1beta1.Provider{
+							InfrastructureConfig: &runtime.RawExtension{
+								Raw: encode(infrastructure),
+							},
+						},
+					},
+				},
+			},
+		)
+		eContextK8s127 = gcontext.NewInternalGardenContext(
+			&extensionscontroller.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "shoot--project--foo",
+				},
+				Shoot: &gardencorev1beta1.Shoot{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "foo",
+					},
+					Spec: gardencorev1beta1.ShootSpec{
+						Kubernetes: gardencorev1beta1.Kubernetes{
+							Version: "1.27.1",
+						},
+						Provider: gardencorev1beta1.Provider{
+							InfrastructureConfig: &runtime.RawExtension{
+								Raw: encode(infrastructure),
+							},
+						},
+					},
+				},
+			},
+		)
 	})
 
 	AfterEach(func() {
@@ -493,13 +535,6 @@ done
 				files = []extensionsv1alpha1.File{oldFile}
 			)
 
-			c.EXPECT().Get(ctx, gomock.Any(), gomock.AssignableToTypeOf(&extensionsv1alpha1.Infrastructure{})).DoAndReturn(
-				func(_ context.Context, _ k8sclient.ObjectKey, infra *extensionsv1alpha1.Infrastructure, _ ...k8sclient.GetOption) error {
-					*infra = *infrastructure
-					return nil
-				},
-			)
-
 			// Create ensurer
 			ensurer := NewEnsurer(logger, c)
 
@@ -535,38 +570,36 @@ done
 			Expect(files).To(ConsistOf(oldFile, additionalFile))
 		})
 
-		It("should not add credential provider files to the current ones if ECRAccess is disabled", func() {
-			var (
-				oldFile        = extensionsv1alpha1.File{Path: "oldpath"}
-				additionalFile = extensionsv1alpha1.File{
-					Path:        filePath,
-					Permissions: &permissions,
-					Content: extensionsv1alpha1.FileContent{
-						Inline: &extensionsv1alpha1.FileContentInline{
-							Encoding: "",
-							Data:     customFileContent,
-						},
-					},
-				}
+		Context("ECRAccess is disabled", func() {
+			BeforeEach(func() {
+				infraConfig.EnableECRAccess = ptr.To(false)
+			})
 
-				files = []extensionsv1alpha1.File{oldFile}
-			)
+			It("should not add credential provider files to the current ones if ECRAccess is disabled", func() {
+				var (
+					oldFile        = extensionsv1alpha1.File{Path: "oldpath"}
+					additionalFile = extensionsv1alpha1.File{
+						Path:        filePath,
+						Permissions: &permissions,
+						Content: extensionsv1alpha1.FileContent{
+							Inline: &extensionsv1alpha1.FileContentInline{
+								Encoding: "",
+								Data:     customFileContent,
+							},
+						},
+					}
 
-			infraConfig.EnableECRAccess = ptr.To(false)
-			c.EXPECT().Get(ctx, gomock.Any(), gomock.AssignableToTypeOf(&extensionsv1alpha1.Infrastructure{})).DoAndReturn(
-				func(_ context.Context, _ k8sclient.ObjectKey, infra *extensionsv1alpha1.Infrastructure, _ ...k8sclient.GetOption) error {
-					*infra = *infrastructure
-					return nil
-				},
-			)
+					files = []extensionsv1alpha1.File{oldFile}
+				)
 
-			// Create ensurer
-			ensurer := NewEnsurer(logger, c)
+				// Create ensurer
+				ensurer := NewEnsurer(logger, c)
 
-			// Call EnsureAdditionalFiles method and check the result
-			err := ensurer.EnsureAdditionalFiles(ctx, eContextK8s127, &files, nil)
-			Expect(err).To(Not(HaveOccurred()))
-			Expect(files).To(ConsistOf(oldFile, additionalFile))
+				// Call EnsureAdditionalFiles method and check the result
+				err := ensurer.EnsureAdditionalFiles(ctx, eContextK8s127, &files, nil)
+				Expect(err).To(Not(HaveOccurred()))
+				Expect(files).To(ConsistOf(oldFile, additionalFile))
+			})
 		})
 
 		It("should add additional files to the current ones", func() {
@@ -665,32 +698,22 @@ done
 				Expect(opts).To(Equal(newUnitOptions))
 			})
 
-			It("kubelet version >= 1.27 without ECR access", func() {
-				c.EXPECT().Get(ctx, gomock.Any(), gomock.AssignableToTypeOf(&extensionsv1alpha1.Infrastructure{})).DoAndReturn(
-					func(_ context.Context, _ k8sclient.ObjectKey, infra *extensionsv1alpha1.Infrastructure, _ ...k8sclient.GetOption) error {
-						*infra = *infrastructure
+			Context("ECRAccess is disabled", func() {
+				BeforeEach(func() {
+					infraConfig.EnableECRAccess = ptr.To(false)
+				})
 
-						infraConfig.EnableECRAccess = ptr.To(false)
-						return nil
-					},
-				).AnyTimes()
-
-				opts, err := ensurer.EnsureKubeletServiceUnitOptions(ctx, eContextK8s127, semver.MustParse("1.27.0"), oldUnitOptions, nil)
-				Expect(err).To(Not(HaveOccurred()))
-				Expect(opts).To(Equal(newUnitOptions))
+				It("kubelet version >= 1.27 without ECR access", func() {
+					opts, err := ensurer.EnsureKubeletServiceUnitOptions(ctx, eContextK8s127, semver.MustParse("1.27.0"), oldUnitOptions, nil)
+					Expect(err).To(Not(HaveOccurred()))
+					Expect(opts).To(Equal(newUnitOptions))
+				})
 			})
 
 			It("kubelet version >= 1.27 with ECR Access", func() {
 				newUnitOptions[0].Value += addCmdOption("--image-credential-provider-config=/opt/gardener/ecr-credential-provider-config.json")
 				newUnitOptions[0].Value += addCmdOption("--image-credential-provider-bin-dir=/opt/bin/")
 
-				c.EXPECT().Get(ctx, gomock.Any(), gomock.AssignableToTypeOf(&extensionsv1alpha1.Infrastructure{})).DoAndReturn(
-					func(_ context.Context, _ k8sclient.ObjectKey, infra *extensionsv1alpha1.Infrastructure, _ ...k8sclient.GetOption) error {
-						*infra = *infrastructure
-						return nil
-					},
-				).AnyTimes()
-
 				opts, err := ensurer.EnsureKubeletServiceUnitOptions(ctx, eContextK8s127, semver.MustParse("1.27.0"), oldUnitOptions, nil)
 				Expect(err).To(Not(HaveOccurred()))
 				Expect(opts).To(Equal(newUnitOptions))
@@ -929,3 +952,8 @@ func addCmdOption(s string) string {
 	return ` \
     ` + s
 }
+
+func encode(obj runtime.Object) []byte {
+	data, _ := json.Marshal(obj)
+	return data
+}