diff --git a/pkg/resources/provisioning.cattle.io/v1/cluster/validator.go b/pkg/resources/provisioning.cattle.io/v1/cluster/validator.go
index b8bb17dab..22e5d4bab 100644
--- a/pkg/resources/provisioning.cattle.io/v1/cluster/validator.go
+++ b/pkg/resources/provisioning.cattle.io/v1/cluster/validator.go
@@ -114,7 +114,7 @@ func (p *provisioningAdmitter) Admit(request *admission.Request) (*admissionv1.A
 			return response, err
 		}
 
-		if response := p.validateRKEConfigChanged(oldCluster, cluster); !response.Allowed {
+		if response := p.validateRKEConfigChanged(request, oldCluster, cluster); !response.Allowed {
 			return response, nil
 		}
 
@@ -186,11 +186,10 @@ func getEnvVar(name string, envVars []rkev1.EnvVar) *rkev1.EnvVar {
 // validateRKEConfigChanged validates that after creation, the `spec.rkeConfig` cannot be set to a non-nil value if it
 // was nil, and likewise cannot be set to a nil value if it was not. The local cluster is explicitly exempted from
 // setting rkeConfig from nil to not nil, as it is a valid usecase to do so for rancherd in harvester environments.
-func (p *provisioningAdmitter) validateRKEConfigChanged(oldCluster, newCluster *v1.Cluster) *admissionv1.AdmissionResponse {
-	if oldCluster == nil {
+func (p *provisioningAdmitter) validateRKEConfigChanged(request *admission.Request, oldCluster, newCluster *v1.Cluster) *admissionv1.AdmissionResponse {
+	if request.Operation != admissionv1.Update {
 		return admission.ResponseAllowed()
 	}
-
 	if oldCluster.Spec.RKEConfig == nil && newCluster.Spec.RKEConfig != nil && oldCluster.Name != localCluster {
 		return admission.ResponseBadRequest("RKEConfig cannot be changed from null after cluster creation")
 	} else if oldCluster.Spec.RKEConfig != nil && newCluster.Spec.RKEConfig == nil {
diff --git a/pkg/resources/provisioning.cattle.io/v1/cluster/validator_test.go b/pkg/resources/provisioning.cattle.io/v1/cluster/validator_test.go
index 817014587..8102f620d 100644
--- a/pkg/resources/provisioning.cattle.io/v1/cluster/validator_test.go
+++ b/pkg/resources/provisioning.cattle.io/v1/cluster/validator_test.go
@@ -2737,30 +2737,42 @@ func Test_validateS3Secret(t *testing.T) {
 func Test_ValidateRKEConfigChanged(t *testing.T) {
 	tests := []struct {
 		name       string
+		op         admissionv1.Operation
 		oldCluster *v1.Cluster
 		newCluster *v1.Cluster
 		expected   bool
 	}{
 		{
 			name:       "create",
-			oldCluster: nil,
+			op:         admissionv1.Create,
+			oldCluster: &v1.Cluster{},
+			newCluster: &v1.Cluster{},
+			expected:   true,
+		},
+		{
+			name:       "delete",
+			op:         admissionv1.Delete,
+			oldCluster: &v1.Cluster{},
 			newCluster: &v1.Cluster{},
 			expected:   true,
 		},
 		{
 			name:       "no change - nil",
+			op:         admissionv1.Update,
 			oldCluster: &v1.Cluster{},
 			newCluster: &v1.Cluster{},
 			expected:   true,
 		},
 		{
 			name:       "no change - nil - local",
+			op:         admissionv1.Update,
 			oldCluster: &v1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: "local"}},
 			newCluster: &v1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: "local"}},
 			expected:   true,
 		},
 		{
 			name: "no change - not nil",
+			op:   admissionv1.Update,
 			oldCluster: &v1.Cluster{
 				Spec: v1.ClusterSpec{
 					RKEConfig: &v1.RKEConfig{},
@@ -2775,6 +2787,7 @@ func Test_ValidateRKEConfigChanged(t *testing.T) {
 		},
 		{
 			name: "no change - not nil - local",
+			op:   admissionv1.Update,
 			oldCluster: &v1.Cluster{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "local",
@@ -2795,6 +2808,7 @@ func Test_ValidateRKEConfigChanged(t *testing.T) {
 		},
 		{
 			name:       "change - was nil",
+			op:         admissionv1.Update,
 			oldCluster: &v1.Cluster{},
 			newCluster: &v1.Cluster{
 				Spec: v1.ClusterSpec{
@@ -2805,6 +2819,7 @@ func Test_ValidateRKEConfigChanged(t *testing.T) {
 		},
 		{
 			name: "change - was nil - local",
+			op:   admissionv1.Update,
 			oldCluster: &v1.Cluster{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "local",
@@ -2822,6 +2837,7 @@ func Test_ValidateRKEConfigChanged(t *testing.T) {
 		},
 		{
 			name: "change - was not nil",
+			op:   admissionv1.Update,
 			oldCluster: &v1.Cluster{
 				Spec: v1.ClusterSpec{
 					RKEConfig: &v1.RKEConfig{},
@@ -2832,6 +2848,7 @@ func Test_ValidateRKEConfigChanged(t *testing.T) {
 		},
 		{
 			name: "change - was not nil - local",
+			op:   admissionv1.Update,
 			oldCluster: &v1.Cluster{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "local",
@@ -2854,7 +2871,12 @@ func Test_ValidateRKEConfigChanged(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			p := provisioningAdmitter{}
-			response := p.validateRKEConfigChanged(tt.oldCluster, tt.newCluster)
+			req := &admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: tt.op,
+				},
+			}
+			response := p.validateRKEConfigChanged(req, tt.oldCluster, tt.newCluster)
 			if tt.expected {
 				assert.True(t, response.Allowed, "Expected change to be admitted")
 			} else {