diff --git a/pkg/server/bootstrap_server.go b/pkg/server/bootstrap_server.go
index 16db9d09f9..82559cb580 100644
--- a/pkg/server/bootstrap_server.go
+++ b/pkg/server/bootstrap_server.go
@@ -56,7 +56,9 @@ func NewBootstrapServer(dir, kubeconfig string) (Server, error) {
 // 4. Append the machine annotations file.
 // 5. Append the KubeConfig file.
 func (bsc *bootstrapServer) GetConfig(cr poolRequest) (*igntypes.Config, error) {
-
+	if cr.machineConfigPool != "master" {
+		return nil, fmt.Errorf("refusing to serve bootstrap configuration to pool %q", cr.machineConfigPool)
+	}
 	// 1. Read the Machine Config Pool object.
 	fileName := path.Join(bsc.serverBaseDir, "machine-pools", cr.machineConfigPool+".yaml")
 	glog.Infof("reading file %q", fileName)
diff --git a/pkg/server/server_test.go b/pkg/server/server_test.go
index 22ae2612e8..27f84ae71b 100644
--- a/pkg/server/server_test.go
+++ b/pkg/server/server_test.go
@@ -120,7 +120,7 @@ func TestBootstrapServer(t *testing.T) {
 		t.Fatal(err)
 	}
 	res, err := bs.GetConfig(poolRequest{
-		machineConfigPool: testPool,
+		machineConfigPool: "master",
 	})
 	if err != nil {
 		t.Fatalf("expected err to be nil, received: %v", err)
@@ -129,6 +129,14 @@ func TestBootstrapServer(t *testing.T) {
 	// assert on the output.
 	validateIgnitionFiles(t, mc.Spec.Config.Storage.Files, res.Storage.Files)
 	validateIgnitionSystemd(t, mc.Spec.Config.Systemd.Units, res.Systemd.Units)
+
+	// verify bootstrap cannot serve ignition to other pool than master
+	res, err = bs.GetConfig(poolRequest{
+		machineConfigPool: testPool,
+	})
+	if err == nil {
+		t.Fatalf("expected bootstrap server to not serve ignition to non-master pools")
+	}
 }
 
 // TestClusterServer tests the behavior of the machine config server
diff --git a/pkg/server/testdata/machine-pools/master.yaml b/pkg/server/testdata/machine-pools/master.yaml
new file mode 100644
index 0000000000..45bdeb645a
--- /dev/null
+++ b/pkg/server/testdata/machine-pools/master.yaml
@@ -0,0 +1,24 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfigPool
+metadata:
+  creationTimestamp: null
+  name: master
+spec:
+  configuration:
+    name: test-config
+  machineConfigSelector:
+    matchLabels:
+      machineconfiguration.openshift.io/role: test
+  nodeSelector:
+    matchLabels:
+      node-role.kubernetes.io/test: ""
+  maxUnavailable: null
+  paused: false
+status:
+  conditions: null
+  configuration:
+    name: test-config
+  machineCount: 0
+  readyMachineCount: 0
+  unavailableMachineCount: 0
+  updatedMachineCount: 0