diff --git a/internal/resources/addons/coredns.go b/internal/resources/addons/coredns.go
index 3383d45..8fcc9dd 100644
--- a/internal/resources/addons/coredns.go
+++ b/internal/resources/addons/coredns.go
@@ -21,6 +21,7 @@ import (
 	"github.com/clastix/kamaji/internal/constants"
 	"github.com/clastix/kamaji/internal/kubeadm"
 	"github.com/clastix/kamaji/internal/resources"
+	addons_utils "github.com/clastix/kamaji/internal/resources/addons/utils"
 	"github.com/clastix/kamaji/internal/resources/utils"
 	"github.com/clastix/kamaji/internal/utilities"
 )
@@ -235,32 +236,32 @@ func (c *CoreDNS) decodeManifests(ctx context.Context, tcp *kamajiv1alpha1.Tenan
 	if err = utilities.DecodeFromYAML(string(parts[1]), c.deployment); err != nil {
 		return errors.Wrap(err, "unable to decode Deployment manifest")
 	}
-	setKamajiManagedLabels(c.deployment)
+	addons_utils.SetKamajiManagedLabels(c.deployment)
 
 	if err = utilities.DecodeFromYAML(string(parts[2]), c.configMap); err != nil {
 		return errors.Wrap(err, "unable to decode ConfigMap manifest")
 	}
-	setKamajiManagedLabels(c.configMap)
+	addons_utils.SetKamajiManagedLabels(c.configMap)
 
 	if err = utilities.DecodeFromYAML(string(parts[3]), c.service); err != nil {
 		return errors.Wrap(err, "unable to decode Service manifest")
 	}
-	setKamajiManagedLabels(c.service)
+	addons_utils.SetKamajiManagedLabels(c.service)
 
 	if err = utilities.DecodeFromYAML(string(parts[4]), c.clusterRole); err != nil {
 		return errors.Wrap(err, "unable to decode ClusterRole manifest")
 	}
-	setKamajiManagedLabels(c.clusterRole)
+	addons_utils.SetKamajiManagedLabels(c.clusterRole)
 
 	if err = utilities.DecodeFromYAML(string(parts[5]), c.clusterRoleBinding); err != nil {
 		return errors.Wrap(err, "unable to decode ClusterRoleBinding manifest")
 	}
-	setKamajiManagedLabels(c.clusterRoleBinding)
+	addons_utils.SetKamajiManagedLabels(c.clusterRoleBinding)
 
 	if err = utilities.DecodeFromYAML(string(parts[6]), c.serviceAccount); err != nil {
 		return errors.Wrap(err, "unable to decode ServiceAccount manifest")
 	}
-	setKamajiManagedLabels(c.serviceAccount)
+	addons_utils.SetKamajiManagedLabels(c.serviceAccount)
 
 	return nil
 }
diff --git a/internal/resources/addons/kube_proxy.go b/internal/resources/addons/kube_proxy.go
index 0bcb872..8640135 100644
--- a/internal/resources/addons/kube_proxy.go
+++ b/internal/resources/addons/kube_proxy.go
@@ -23,6 +23,7 @@ import (
 	"github.com/clastix/kamaji/internal/constants"
 	"github.com/clastix/kamaji/internal/kubeadm"
 	"github.com/clastix/kamaji/internal/resources"
+	addon_utils "github.com/clastix/kamaji/internal/resources/addons/utils"
 	"github.com/clastix/kamaji/internal/resources/utils"
 	"github.com/clastix/kamaji/internal/utilities"
 )
@@ -397,32 +398,32 @@ func (k *KubeProxy) decodeManifests(ctx context.Context, tcp *kamajiv1alpha1.Ten
 	if err = utilities.DecodeFromYAML(string(parts[1]), k.serviceAccount); err != nil {
 		return errors.Wrap(err, "unable to decode ServiceAccount manifest")
 	}
-	setKamajiManagedLabels(k.serviceAccount)
+	addon_utils.SetKamajiManagedLabels(k.serviceAccount)
 
 	if err = utilities.DecodeFromYAML(string(parts[2]), k.clusterRoleBinding); err != nil {
 		return errors.Wrap(err, "unable to decode ClusterRoleBinding manifest")
 	}
-	setKamajiManagedLabels(k.clusterRoleBinding)
+	addon_utils.SetKamajiManagedLabels(k.clusterRoleBinding)
 
 	if err = utilities.DecodeFromYAML(string(parts[3]), k.role); err != nil {
 		return errors.Wrap(err, "unable to decode Role manifest")
 	}
-	setKamajiManagedLabels(k.role)
+	addon_utils.SetKamajiManagedLabels(k.role)
 
 	if err = utilities.DecodeFromYAML(string(parts[4]), k.roleBinding); err != nil {
 		return errors.Wrap(err, "unable to decode RoleBinding manifest")
 	}
-	setKamajiManagedLabels(k.roleBinding)
+	addon_utils.SetKamajiManagedLabels(k.roleBinding)
 
 	if err = utilities.DecodeFromYAML(string(parts[5]), k.configMap); err != nil {
 		return errors.Wrap(err, "unable to decode ConfigMap manifest")
 	}
-	setKamajiManagedLabels(k.configMap)
+	addon_utils.SetKamajiManagedLabels(k.configMap)
 
 	if err = utilities.DecodeFromYAML(string(parts[6]), k.daemonSet); err != nil {
 		return errors.Wrap(err, "unable to decode DaemonSet manifest")
 	}
-	setKamajiManagedLabels(k.daemonSet)
+	addon_utils.SetKamajiManagedLabels(k.daemonSet)
 
 	return nil
 }
diff --git a/internal/resources/addons/managed_labels.go b/internal/resources/addons/utils/managed_labels.go
similarity index 85%
rename from internal/resources/addons/managed_labels.go
rename to internal/resources/addons/utils/managed_labels.go
index 1843788..c55681e 100644
--- a/internal/resources/addons/managed_labels.go
+++ b/internal/resources/addons/utils/managed_labels.go
@@ -1,7 +1,7 @@
 // Copyright 2022 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
 
-package addons
+package utils
 
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -10,7 +10,7 @@ import (
 	"github.com/clastix/kamaji/internal/utilities"
 )
 
-func setKamajiManagedLabels(obj client.Object) {
+func SetKamajiManagedLabels(obj client.Object) {
 	obj.SetLabels(utilities.MergeMaps(obj.GetLabels(), map[string]string{
 		constants.ProjectNameLabelKey: constants.ProjectNameLabelValue,
 	}))
diff --git a/internal/resources/konnectivity/agent.go b/internal/resources/konnectivity/agent.go
index 113e497..092d652 100644
--- a/internal/resources/konnectivity/agent.go
+++ b/internal/resources/konnectivity/agent.go
@@ -18,6 +18,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
+	"github.com/clastix/kamaji/internal/constants"
 	"github.com/clastix/kamaji/internal/utilities"
 )
 
@@ -27,17 +28,32 @@ type Agent struct {
 	tenantClient client.Client
 }
 
-func (r *Agent) ShouldStatusBeUpdated(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil && len(tenantControlPlane.Status.Addons.Konnectivity.Agent.Namespace) == 0
+func (r *Agent) ShouldStatusBeUpdated(_ context.Context, tcp *kamajiv1alpha1.TenantControlPlane) bool {
+	return tcp.Spec.Addons.Konnectivity == nil && (tcp.Status.Addons.Konnectivity.Agent.Namespace != "" || tcp.Status.Addons.Konnectivity.Agent.Name != "") ||
+		tcp.Spec.Addons.Konnectivity != nil && (tcp.Status.Addons.Konnectivity.Agent.Namespace != r.resource.Namespace || tcp.Status.Addons.Konnectivity.Agent.Name != r.resource.Name)
 }
 
 func (r *Agent) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *Agent) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
 	logger := log.FromContext(ctx, "resource", r.GetName())
 
+	if err := r.tenantClient.Get(ctx, client.ObjectKeyFromObject(r.resource), r.resource); err != nil {
+		if k8serrors.IsNotFound(err) {
+			return false, nil
+		}
+
+		logger.Error(err, "cannot retrieve the requested resource for deletion")
+
+		return false, err
+	}
+
+	if labels := r.resource.GetLabels(); labels == nil || labels[constants.ProjectNameLabelKey] != constants.ProjectNameLabelValue {
+		return false, nil
+	}
+
 	if err := r.tenantClient.Delete(ctx, r.resource); err != nil {
 		if k8serrors.IsNotFound(err) {
 			return false, nil
@@ -83,18 +99,16 @@ func (r *Agent) GetName() string {
 }
 
 func (r *Agent) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.Agent = kamajiv1alpha1.ExternalKubernetesObjectStatus{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
 		tenantControlPlane.Status.Addons.Konnectivity.Agent = kamajiv1alpha1.ExternalKubernetesObjectStatus{
 			Name:       r.resource.GetName(),
 			Namespace:  r.resource.GetNamespace(),
 			LastUpdate: metav1.Now(),
 		}
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.Agent = kamajiv1alpha1.ExternalKubernetesObjectStatus{}
-
 	return nil
 }
 
@@ -109,7 +123,7 @@ func (r *Agent) mutate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.T
 			return err
 		}
 
-		r.resource.SetLabels(utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName()))
+		r.resource.SetLabels(utilities.MergeMaps(r.resource.GetLabels(), utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName())))
 
 		if r.resource.Spec.Selector == nil {
 			r.resource.Spec.Selector = &metav1.LabelSelector{}
diff --git a/internal/resources/konnectivity/certificate_resource.go b/internal/resources/konnectivity/certificate_resource.go
index 8f48958..7dfe784 100644
--- a/internal/resources/konnectivity/certificate_resource.go
+++ b/internal/resources/konnectivity/certificate_resource.go
@@ -34,7 +34,7 @@ func (r *CertificateResource) ShouldStatusBeUpdated(_ context.Context, tenantCon
 }
 
 func (r *CertificateResource) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *CertificateResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
@@ -65,6 +65,10 @@ func (r *CertificateResource) Define(_ context.Context, tenantControlPlane *kama
 }
 
 func (r *CertificateResource) CreateOrUpdate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
+	if tenantControlPlane.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
+	}
+
 	return controllerutil.CreateOrUpdate(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
 }
 
@@ -73,16 +77,14 @@ func (r *CertificateResource) GetName() string {
 }
 
 func (r *CertificateResource) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.Certificate = kamajiv1alpha1.CertificatePrivateKeyPairStatus{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
 		tenantControlPlane.Status.Addons.Konnectivity.Certificate.LastUpdate = metav1.Now()
 		tenantControlPlane.Status.Addons.Konnectivity.Certificate.SecretName = r.resource.GetName()
 		tenantControlPlane.Status.Addons.Konnectivity.Certificate.Checksum = utilities.GetObjectChecksum(r.resource)
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.Certificate = kamajiv1alpha1.CertificatePrivateKeyPairStatus{}
-
 	return nil
 }
 
@@ -91,6 +93,7 @@ func (r *CertificateResource) mutate(ctx context.Context, tenantControlPlane *ka
 		logger := log.FromContext(ctx, "resource", r.GetName())
 
 		r.resource.SetLabels(utilities.MergeMaps(
+			r.resource.GetLabels(),
 			utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName()),
 			map[string]string{
 				constants.ControllerLabelResource: "x509",
diff --git a/internal/resources/konnectivity/cluster_role_binding_resource.go b/internal/resources/konnectivity/cluster_role_binding_resource.go
index 2415058..dcf9f50 100644
--- a/internal/resources/konnectivity/cluster_role_binding_resource.go
+++ b/internal/resources/konnectivity/cluster_role_binding_resource.go
@@ -14,6 +14,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
+	"github.com/clastix/kamaji/internal/constants"
 	"github.com/clastix/kamaji/internal/utilities"
 )
 
@@ -24,17 +25,33 @@ type ClusterRoleBindingResource struct {
 	tenantClient client.Client
 }
 
-func (r *ClusterRoleBindingResource) ShouldStatusBeUpdated(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Status.Addons.Konnectivity.ClusterRoleBinding.Name != r.resource.GetName()
+func (r *ClusterRoleBindingResource) ShouldStatusBeUpdated(_ context.Context, tcp *kamajiv1alpha1.TenantControlPlane) bool {
+	return tcp.Spec.Addons.Konnectivity == nil && tcp.Status.Addons.Konnectivity.ClusterRoleBinding.Name != "" ||
+		tcp.Spec.Addons.Konnectivity != nil && (tcp.Status.Addons.Konnectivity.ClusterRoleBinding.Name == "" ||
+			tcp.Status.Addons.Konnectivity.ClusterRoleBinding.Name != r.resource.GetName())
 }
 
 func (r *ClusterRoleBindingResource) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil && len(tenantControlPlane.Status.Addons.Konnectivity.ClusterRoleBinding.Name) > 0
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *ClusterRoleBindingResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
 	logger := log.FromContext(ctx, "resource", r.GetName())
 
+	if err := r.tenantClient.Get(ctx, client.ObjectKeyFromObject(r.resource), r.resource); err != nil {
+		if k8serrors.IsNotFound(err) {
+			return false, nil
+		}
+
+		logger.Error(err, "cannot retrieve the requested resource for deletion")
+
+		return false, err
+	}
+
+	if labels := r.resource.GetLabels(); labels == nil || labels[constants.ProjectNameLabelKey] != constants.ProjectNameLabelValue {
+		return false, nil
+	}
+
 	if err := r.tenantClient.Delete(ctx, r.resource); err != nil {
 		if k8serrors.IsNotFound(err) {
 			return false, nil
@@ -67,11 +84,11 @@ func (r *ClusterRoleBindingResource) Define(ctx context.Context, tenantControlPl
 }
 
 func (r *ClusterRoleBindingResource) CreateOrUpdate(ctx context.Context, tcp *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
-	if tcp.Spec.Addons.Konnectivity != nil {
-		return controllerutil.CreateOrUpdate(ctx, r.tenantClient, r.resource, r.mutate(tcp))
+	if tcp.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
 	}
 
-	return controllerutil.OperationResultNone, nil
+	return controllerutil.CreateOrUpdate(ctx, r.tenantClient, r.resource, r.mutate(tcp))
 }
 
 func (r *ClusterRoleBindingResource) GetName() string {
@@ -79,23 +96,21 @@ func (r *ClusterRoleBindingResource) GetName() string {
 }
 
 func (r *ClusterRoleBindingResource) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.ClusterRoleBinding = kamajiv1alpha1.ExternalKubernetesObjectStatus{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
-		tenantControlPlane.Status.Addons.Konnectivity.Enabled = true
 		tenantControlPlane.Status.Addons.Konnectivity.ClusterRoleBinding = kamajiv1alpha1.ExternalKubernetesObjectStatus{
 			Name: r.resource.GetName(),
 		}
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.ClusterRoleBinding = kamajiv1alpha1.ExternalKubernetesObjectStatus{}
-
 	return nil
 }
 
 func (r *ClusterRoleBindingResource) mutate(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) controllerutil.MutateFn {
 	return func() error {
 		r.resource.SetLabels(utilities.MergeMaps(
+			r.resource.GetLabels(),
 			utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName()),
 			map[string]string{
 				"kubernetes.io/cluster-service":   "true",
diff --git a/internal/resources/konnectivity/deployment_resource.go b/internal/resources/konnectivity/deployment_resource.go
index aaecc02..bbadd43 100644
--- a/internal/resources/konnectivity/deployment_resource.go
+++ b/internal/resources/konnectivity/deployment_resource.go
@@ -27,9 +27,8 @@ type KubernetesDeploymentResource struct {
 
 func (r *KubernetesDeploymentResource) ShouldStatusBeUpdated(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
 	switch {
-	case tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled:
-		fallthrough
-	case tenantControlPlane.Spec.Addons.Konnectivity != nil && !tenantControlPlane.Status.Addons.Konnectivity.Enabled:
+	case tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled,
+		tenantControlPlane.Spec.Addons.Konnectivity != nil && !tenantControlPlane.Status.Addons.Konnectivity.Enabled:
 		return true
 	default:
 		return false
@@ -94,6 +93,10 @@ func (r *KubernetesDeploymentResource) mutate(_ context.Context, tenantControlPl
 }
 
 func (r *KubernetesDeploymentResource) CreateOrUpdate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
+	if tenantControlPlane.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
+	}
+
 	return utilities.CreateOrUpdateWithConflict(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
 }
 
diff --git a/internal/resources/konnectivity/egress_selector_configuration_resource.go b/internal/resources/konnectivity/egress_selector_configuration_resource.go
index 5641016..8b9dcc9 100644
--- a/internal/resources/konnectivity/egress_selector_configuration_resource.go
+++ b/internal/resources/konnectivity/egress_selector_configuration_resource.go
@@ -36,7 +36,7 @@ func (r *EgressSelectorConfigurationResource) Define(_ context.Context, tenantCo
 }
 
 func (r *EgressSelectorConfigurationResource) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *EgressSelectorConfigurationResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
@@ -56,6 +56,10 @@ func (r *EgressSelectorConfigurationResource) CleanUp(ctx context.Context, _ *ka
 }
 
 func (r *EgressSelectorConfigurationResource) CreateOrUpdate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
+	if tenantControlPlane.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
+	}
+
 	return controllerutil.CreateOrUpdate(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
 }
 
@@ -68,15 +72,13 @@ func (r *EgressSelectorConfigurationResource) ShouldStatusBeUpdated(_ context.Co
 }
 
 func (r *EgressSelectorConfigurationResource) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.ConfigMap = kamajiv1alpha1.KonnectivityConfigMap{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
 		tenantControlPlane.Status.Addons.Konnectivity.ConfigMap.Name = r.resource.GetName()
 		tenantControlPlane.Status.Addons.Konnectivity.ConfigMap.Checksum = utilities.GetObjectChecksum(r.resource)
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.ConfigMap = kamajiv1alpha1.KonnectivityConfigMap{}
-
 	return nil
 }
 
diff --git a/internal/resources/konnectivity/kubeconfig_resource.go b/internal/resources/konnectivity/kubeconfig_resource.go
index 31936d7..c194799 100644
--- a/internal/resources/konnectivity/kubeconfig_resource.go
+++ b/internal/resources/konnectivity/kubeconfig_resource.go
@@ -33,14 +33,15 @@ func (r *KubeconfigResource) ShouldStatusBeUpdated(_ context.Context, tenantCont
 }
 
 func (r *KubeconfigResource) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *KubeconfigResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
 	logger := log.FromContext(ctx, "resource", r.GetName())
+
 	if err := r.Client.Delete(ctx, r.resource); err != nil {
 		if !k8serrors.IsNotFound(err) {
-			logger.Error(err, "cannot delete the requested resourece")
+			logger.Error(err, "cannot delete the requested resource")
 
 			return false, err
 		}
@@ -63,6 +64,10 @@ func (r *KubeconfigResource) Define(_ context.Context, tenantControlPlane *kamaj
 }
 
 func (r *KubeconfigResource) CreateOrUpdate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
+	if tenantControlPlane.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
+	}
+
 	return controllerutil.CreateOrUpdate(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
 }
 
@@ -71,16 +76,14 @@ func (r *KubeconfigResource) GetName() string {
 }
 
 func (r *KubeconfigResource) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.Kubeconfig = kamajiv1alpha1.KubeconfigStatus{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
 		tenantControlPlane.Status.Addons.Konnectivity.Kubeconfig.LastUpdate = metav1.Now()
 		tenantControlPlane.Status.Addons.Konnectivity.Kubeconfig.SecretName = r.resource.GetName()
 		tenantControlPlane.Status.Addons.Konnectivity.Kubeconfig.Checksum = utilities.GetObjectChecksum(r.resource)
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.Kubeconfig = kamajiv1alpha1.KubeconfigStatus{}
-
 	return nil
 }
 
@@ -89,6 +92,7 @@ func (r *KubeconfigResource) mutate(ctx context.Context, tenantControlPlane *kam
 		logger := log.FromContext(ctx, "resource", r.GetName())
 
 		r.resource.SetLabels(utilities.MergeMaps(
+			r.resource.GetLabels(),
 			utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName()),
 			map[string]string{
 				constants.ControllerLabelResource: "kubeconfig",
diff --git a/internal/resources/konnectivity/service_account_resource.go b/internal/resources/konnectivity/service_account_resource.go
index e0b88f9..15b5963 100644
--- a/internal/resources/konnectivity/service_account_resource.go
+++ b/internal/resources/konnectivity/service_account_resource.go
@@ -14,6 +14,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
+	"github.com/clastix/kamaji/internal/constants"
 	"github.com/clastix/kamaji/internal/utilities"
 )
 
@@ -24,17 +25,32 @@ type ServiceAccountResource struct {
 	tenantClient client.Client
 }
 
-func (r *ServiceAccountResource) ShouldStatusBeUpdated(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return len(tenantControlPlane.Status.Addons.Konnectivity.ServiceAccount.Name) == 0 && len(tenantControlPlane.Status.Addons.Konnectivity.ServiceAccount.Namespace) == 0
+func (r *ServiceAccountResource) ShouldStatusBeUpdated(_ context.Context, tcp *kamajiv1alpha1.TenantControlPlane) bool {
+	return tcp.Spec.Addons.Konnectivity == nil && len(tcp.Status.Addons.Konnectivity.ServiceAccount.Name) > 0 && len(tcp.Status.Addons.Konnectivity.ServiceAccount.Namespace) > 0 ||
+		tcp.Spec.Addons.Konnectivity != nil && tcp.Status.Addons.Konnectivity.ServiceAccount.Name == "" && tcp.Status.Addons.Konnectivity.ServiceAccount.Namespace == ""
 }
 
 func (r *ServiceAccountResource) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil && len(tenantControlPlane.Status.Addons.Konnectivity.ServiceAccount.Name) > 0
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *ServiceAccountResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
 	logger := log.FromContext(ctx, "resource", r.GetName())
 
+	if err := r.tenantClient.Get(ctx, client.ObjectKeyFromObject(r.resource), r.resource); err != nil {
+		if k8serrors.IsNotFound(err) {
+			return false, nil
+		}
+
+		logger.Error(err, "cannot retrieve the requested resource for deletion")
+
+		return false, err
+	}
+
+	if labels := r.resource.GetLabels(); labels == nil || labels[constants.ProjectNameLabelKey] != constants.ProjectNameLabelValue {
+		return false, nil
+	}
+
 	if err := r.tenantClient.Delete(ctx, r.resource); err != nil {
 		if k8serrors.IsNotFound(err) {
 			return false, nil
@@ -68,11 +84,11 @@ func (r *ServiceAccountResource) Define(ctx context.Context, tenantControlPlane
 }
 
 func (r *ServiceAccountResource) CreateOrUpdate(ctx context.Context, tcp *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
-	if tcp.Spec.Addons.Konnectivity != nil {
-		return controllerutil.CreateOrUpdate(ctx, r.tenantClient, r.resource, r.mutate(tcp))
+	if tcp.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
 	}
 
-	return controllerutil.OperationResultNone, nil
+	return controllerutil.CreateOrUpdate(ctx, r.tenantClient, r.resource, r.mutate(tcp))
 }
 
 func (r *ServiceAccountResource) GetName() string {
@@ -80,23 +96,21 @@ func (r *ServiceAccountResource) GetName() string {
 }
 
 func (r *ServiceAccountResource) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.ServiceAccount = kamajiv1alpha1.ExternalKubernetesObjectStatus{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
 		tenantControlPlane.Status.Addons.Konnectivity.ServiceAccount = kamajiv1alpha1.ExternalKubernetesObjectStatus{
 			Name:      r.resource.GetName(),
 			Namespace: r.resource.GetNamespace(),
 		}
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.ServiceAccount = kamajiv1alpha1.ExternalKubernetesObjectStatus{}
-
 	return nil
 }
 
 func (r *ServiceAccountResource) mutate(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) controllerutil.MutateFn {
 	return func() error {
-		r.resource.SetLabels(utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName()))
+		r.resource.SetLabels(utilities.MergeMaps(r.resource.GetLabels(), utilities.KamajiLabels(tenantControlPlane.GetName(), r.GetName())))
 
 		return nil
 	}
diff --git a/internal/resources/konnectivity/service_resource.go b/internal/resources/konnectivity/service_resource.go
index 3f75d88..e5fefec 100644
--- a/internal/resources/konnectivity/service_resource.go
+++ b/internal/resources/konnectivity/service_resource.go
@@ -24,25 +24,24 @@ type ServiceResource struct {
 }
 
 func (r *ServiceResource) ShouldStatusBeUpdated(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	if tenantControlPlane.Status.Addons.Konnectivity.Service.Name != r.resource.GetName() {
+	if tenantControlPlane.Spec.Addons.Konnectivity == nil &&
+		tenantControlPlane.Status.Addons.Konnectivity.Service.Port == 0 &&
+		tenantControlPlane.Status.Addons.Konnectivity.Service.Name == "" &&
+		tenantControlPlane.Status.Addons.Konnectivity.Service.Namespace == "" &&
+		len(tenantControlPlane.Status.Addons.Konnectivity.Service.ServiceStatus.Conditions) == 0 &&
+		len(tenantControlPlane.Status.Addons.Konnectivity.Service.ServiceStatus.LoadBalancer.Ingress) == 0 {
+		return false
+	}
+
+	if tenantControlPlane.Status.Addons.Konnectivity.Service.Name != r.resource.GetName() ||
+		tenantControlPlane.Status.Addons.Konnectivity.Service.Namespace != r.resource.GetNamespace() ||
+		len(r.resource.Spec.Ports) > 0 && tenantControlPlane.Status.Addons.Konnectivity.Service.Port != r.resource.Spec.Ports[1].Port ||
+		len(r.resource.Spec.Ports) == 0 && tenantControlPlane.Status.Addons.Konnectivity.Service.Port > 0 ||
+		len(r.resource.Status.Conditions) != len(tenantControlPlane.Status.Addons.Konnectivity.Service.Conditions) {
 		return true
 	}
 
-	if tenantControlPlane.Status.Addons.Konnectivity.Service.Namespace != r.resource.GetNamespace() {
-		return true
-	}
-
-	if tenantControlPlane.Status.Addons.Konnectivity.Service.Port != r.resource.Spec.Ports[1].Port {
-		return true
-	}
-
-	if len(r.resource.Status.Conditions) != len(tenantControlPlane.Status.Addons.Konnectivity.Service.Conditions) {
-		return true
-	}
-
-	resourceIngresses := tenantControlPlane.Status.Addons.Konnectivity.Service.LoadBalancer.Ingress
-	statusIngresses := r.resource.Status.LoadBalancer.Ingress
-
+	resourceIngresses, statusIngresses := tenantControlPlane.Status.Addons.Konnectivity.Service.LoadBalancer.Ingress, r.resource.Status.LoadBalancer.Ingress
 	if len(resourceIngresses) != len(statusIngresses) {
 		return true
 	}
@@ -68,7 +67,7 @@ func (r *ServiceResource) ShouldStatusBeUpdated(_ context.Context, tenantControl
 }
 
 func (r *ServiceResource) ShouldCleanup(tenantControlPlane *kamajiv1alpha1.TenantControlPlane) bool {
-	return tenantControlPlane.Spec.Addons.Konnectivity == nil
+	return tenantControlPlane.Spec.Addons.Konnectivity == nil && tenantControlPlane.Status.Addons.Konnectivity.Enabled
 }
 
 func (r *ServiceResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantControlPlane) (bool, error) {
@@ -100,17 +99,15 @@ func (r *ServiceResource) CleanUp(ctx context.Context, _ *kamajiv1alpha1.TenantC
 }
 
 func (r *ServiceResource) UpdateTenantControlPlaneStatus(_ context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) error {
+	tenantControlPlane.Status.Addons.Konnectivity.Service = kamajiv1alpha1.KubernetesServiceStatus{}
+
 	if tenantControlPlane.Spec.Addons.Konnectivity != nil {
 		tenantControlPlane.Status.Addons.Konnectivity.Service.Name = r.resource.GetName()
 		tenantControlPlane.Status.Addons.Konnectivity.Service.Namespace = r.resource.GetNamespace()
 		tenantControlPlane.Status.Addons.Konnectivity.Service.Port = r.resource.Spec.Ports[1].Port
 		tenantControlPlane.Status.Addons.Konnectivity.Service.ServiceStatus = r.resource.Status
-
-		return nil
 	}
 
-	tenantControlPlane.Status.Addons.Konnectivity.Service = kamajiv1alpha1.KubernetesServiceStatus{}
-
 	return nil
 }
 
@@ -126,6 +123,10 @@ func (r *ServiceResource) Define(_ context.Context, tenantControlPlane *kamajiv1
 }
 
 func (r *ServiceResource) CreateOrUpdate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) (controllerutil.OperationResult, error) {
+	if tenantControlPlane.Spec.Addons.Konnectivity == nil {
+		return controllerutil.OperationResultNone, nil
+	}
+
 	return controllerutil.CreateOrUpdate(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
 }
 
@@ -141,7 +142,7 @@ func (r *ServiceResource) mutate(_ context.Context, tenantControlPlane *kamajiv1
 		r.resource.Spec.Ports[1].Name = "konnectivity-server"
 		r.resource.Spec.Ports[1].Protocol = corev1.ProtocolTCP
 		r.resource.Spec.Ports[1].Port = tenantControlPlane.Spec.Addons.Konnectivity.KonnectivityServerSpec.Port
-		r.resource.Spec.Ports[1].TargetPort = intstr.FromInt(int(tenantControlPlane.Spec.Addons.Konnectivity.KonnectivityServerSpec.Port))
+		r.resource.Spec.Ports[1].TargetPort = intstr.FromInt32(tenantControlPlane.Spec.Addons.Konnectivity.KonnectivityServerSpec.Port)
 		if tenantControlPlane.Spec.ControlPlane.Service.ServiceType == kamajiv1alpha1.ServiceTypeNodePort {
 			r.resource.Spec.Ports[1].NodePort = tenantControlPlane.Spec.Addons.Konnectivity.KonnectivityServerSpec.Port
 		}