diff --git a/fleetconfig-controller/api/v1alpha1/validation.go b/fleetconfig-controller/api/v1alpha1/validation.go
index d756b714..da75f57c 100644
--- a/fleetconfig-controller/api/v1alpha1/validation.go
+++ b/fleetconfig-controller/api/v1alpha1/validation.go
@@ -23,10 +23,11 @@ import (
 //   - spec.addOnConfig
 //   - spec.registrationAuth.*
 //   - spec.hub.clusterManager.source.*
+//   - spec.spokes[*].addOns
 //   - spec.spokes[*].klusterlet.annotations
 //   - spec.spokes[*].klusterlet.source.*
 //   - spec.spokes[*].klusterlet.values
-//   - spec.spokes[*].addOns
+//   - spec.spokes[*].kubeconfig
 func allowFleetConfigUpdate(newObject *FleetConfig, oldObject *FleetConfig) error {
 
 	// Hub check
@@ -65,6 +66,8 @@ func allowFleetConfigUpdate(newObject *FleetConfig, oldObject *FleetConfig) erro
 				newSpokeCopy.Klusterlet.Source = (OCMSource{})
 				oldSpokeCopy.Klusterlet.Values = nil
 				newSpokeCopy.Klusterlet.Values = nil
+				oldSpokeCopy.Kubeconfig = Kubeconfig{}
+				newSpokeCopy.Kubeconfig = Kubeconfig{}
 				newSpokeCopy.AddOns = []AddOn{}
 				oldSpokeCopy.AddOns = []AddOn{}
 
diff --git a/fleetconfig-controller/config/devspace/manager.yaml b/fleetconfig-controller/config/devspace/manager.yaml
index d3b64ebf..4852e273 100644
--- a/fleetconfig-controller/config/devspace/manager.yaml
+++ b/fleetconfig-controller/config/devspace/manager.yaml
@@ -6,12 +6,12 @@ spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/instance: fleetconfig-controller-local
+      app.kubernetes.io/instance: fleetconfig-controller
       app.kubernetes.io/name: fleetconfig-controller
   template:
     metadata:
       labels:
-        app.kubernetes.io/instance: fleetconfig-controller-local
+        app.kubernetes.io/instance: fleetconfig-controller
         app.kubernetes.io/name: fleetconfig-controller
     spec:
       serviceAccountName: fleetconfig-controller-manager
diff --git a/fleetconfig-controller/internal/controller/spoke.go b/fleetconfig-controller/internal/controller/spoke.go
index ccbaf712..9c88b67e 100644
--- a/fleetconfig-controller/internal/controller/spoke.go
+++ b/fleetconfig-controller/internal/controller/spoke.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os/exec"
-	"reflect"
 	"regexp"
 	"slices"
 	"strings"
@@ -55,13 +54,14 @@ func handleSpokes(ctx context.Context, kClient client.Client, fc *v1alpha1.Fleet
 	joinedSpokes := make([]v1alpha1.JoinedSpoke, 0)
 	for _, js := range fc.Status.JoinedSpokes {
 		if !slices.ContainsFunc(fc.Spec.Spokes, func(spoke v1alpha1.Spoke) bool {
-			return spoke.Name == js.Name && reflect.DeepEqual(spoke.Kubeconfig, js.Kubeconfig)
+			return spoke.Name == js.Name
 		}) {
 			err = deregisterSpoke(ctx, kClient, hubKubeconfig, fc, &js)
 			if err != nil {
 				fc.SetConditions(true, v1alpha1.NewCondition(
 					err.Error(), js.UnjoinType(), metav1.ConditionFalse, metav1.ConditionTrue,
 				))
+				// if deregistration fails, retain the joined spoke in the status
 				joinedSpokes = append(joinedSpokes, js)
 				continue
 			}
diff --git a/fleetconfig-controller/internal/kube/kube.go b/fleetconfig-controller/internal/kube/kube.go
index be68ddbb..cffa70de 100644
--- a/fleetconfig-controller/internal/kube/kube.go
+++ b/fleetconfig-controller/internal/kube/kube.go
@@ -110,7 +110,7 @@ func KubeconfigFromSecret(ctx context.Context, kClient client.Client, kubeconfig
 	}
 	raw, ok := secret.Data[kubeconfigKey]
 	if !ok {
-		return nil, fmt.Errorf("failed to get kubeconfig for ref %s/%s using key %s", secretRef.Namespace, secretRef.Name, kubeconfigKey)
+		return nil, fmt.Errorf("kubeconfig key '%s' not found in %s/%s secret", kubeconfigKey, secretRef.Namespace, secretRef.Name)
 	}
 
 	return raw, nil