diff --git a/pkg/registry/core/tenantsecret/rest.go b/pkg/registry/core/tenantsecret/rest.go
index a13426e6..824ab37d 100644
--- a/pkg/registry/core/tenantsecret/rest.go
+++ b/pkg/registry/core/tenantsecret/rest.go
@@ -226,6 +226,9 @@ func (r *REST) Get(
 	if err != nil {
 		return nil, err
 	}
+	if sec.Labels == nil || sec.Labels[tsLabelKey] != tsLabelValue {
+		return nil, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+	}
 	return secretToTenant(sec), nil
 }
 
@@ -253,11 +256,13 @@ func (r *REST) List(ctx context.Context, opts *metainternal.ListOptions) (runtim
 	list := &corev1.SecretList{}
 	err = r.c.List(ctx, list,
 		&client.ListOptions{
-			Namespace: ns,
+			Namespace:     ns,
+			LabelSelector: ls,
 			Raw: &metav1.ListOptions{
 				LabelSelector: ls.String(),
 				FieldSelector: fieldSel,
-			}})
+			},
+		})
 	if err != nil {
 		return nil, err
 	}
@@ -291,10 +296,17 @@ func (r *REST) Update(
 		return nil, false, err
 	}
 
-	cur := &corev1.Secret{}
-	err = r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, cur, &client.GetOptions{Raw: &metav1.GetOptions{}})
-	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, false, err
+	var cur *corev1.Secret
+	previous := &corev1.Secret{}
+	if err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, previous, &client.GetOptions{Raw: &metav1.GetOptions{}}); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return nil, false, err
+		}
+	} else {
+		if previous.Labels == nil || previous.Labels[tsLabelKey] != tsLabelValue {
+			return nil, false, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+		}
+		cur = previous
 	}
 
 	newObj, err := objInfo.UpdatedObject(ctx, nil)
@@ -306,7 +318,7 @@ func (r *REST) Update(
 	newSec := tenantToSecret(in, cur)
 	newSec.Namespace = ns
 	if cur == nil {
-		if !forceCreate && err == nil {
+		if !forceCreate {
 			return nil, false, apierrors.NewNotFound(r.gvr.GroupResource(), name)
 		}
 		err := r.c.Create(ctx, newSec, &client.CreateOptions{Raw: &metav1.CreateOptions{}})
@@ -328,6 +340,13 @@ func (r *REST) Delete(
 	if err != nil {
 		return nil, false, err
 	}
+	current := &corev1.Secret{}
+	if err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, current, &client.GetOptions{Raw: &metav1.GetOptions{}}); err != nil {
+		return nil, false, err
+	}
+	if current.Labels == nil || current.Labels[tsLabelKey] != tsLabelValue {
+		return nil, false, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+	}
 	err = r.c.Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: name}}, &client.DeleteOptions{Raw: opts})
 	return nil, err == nil, err
 }
@@ -347,6 +366,13 @@ func (r *REST) Patch(
 	if err != nil {
 		return nil, err
 	}
+	current := &corev1.Secret{}
+	if err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, current, &client.GetOptions{Raw: &metav1.GetOptions{}}); err != nil {
+		return nil, err
+	}
+	if current.Labels == nil || current.Labels[tsLabelKey] != tsLabelValue {
+		return nil, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+	}
 	out := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: ns,
@@ -383,12 +409,16 @@ func (r *REST) Watch(ctx context.Context, opts *metainternal.ListOptions) (watch
 	}
 
 	secList := &corev1.SecretList{}
-	ls := labels.Set{tsLabelKey: tsLabelValue}.AsSelector().String()
-	base, err := r.w.Watch(ctx, secList, &client.ListOptions{Namespace: ns, Raw: &metav1.ListOptions{
-		Watch:           true,
-		LabelSelector:   ls,
-		ResourceVersion: opts.ResourceVersion,
-	}})
+	ls := labels.Set{tsLabelKey: tsLabelValue}.AsSelector()
+	base, err := r.w.Watch(ctx, secList, &client.ListOptions{
+		Namespace:     ns,
+		LabelSelector: ls,
+		Raw: &metav1.ListOptions{
+			Watch:           true,
+			LabelSelector:   ls.String(),
+			ResourceVersion: opts.ResourceVersion,
+		},
+	})
 	if err != nil {
 		return nil, err
 	}