diff --git a/cluster/kubernetes/images.go b/cluster/kubernetes/images.go
index b4c71b215f..1f8190d194 100644
--- a/cluster/kubernetes/images.go
+++ b/cluster/kubernetes/images.go
@@ -123,7 +123,7 @@ func mergeCredentials(log func(...interface{}) error,
 func (c *Cluster) ImagesToFetch() registry.ImageCreds {
 	allImageCreds := make(registry.ImageCreds)
 
-	namespaces, err := c.getAllowedNamespaces()
+	namespaces, err := c.getAllowedAndExistingNamespaces()
 	if err != nil {
 		c.logger.Log("err", errors.Wrap(err, "getting namespaces"))
 		return allImageCreds
diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
index 9a577af6bc..0d3d8fb0ad 100644
--- a/cluster/kubernetes/kubernetes.go
+++ b/cluster/kubernetes/kubernetes.go
@@ -157,7 +157,7 @@ func (c *Cluster) SomeWorkloads(ids []flux.ResourceID) (res []cluster.Workload,
 // AllWorkloads returns all workloads in allowed namespaces matching the criteria; that is, in
 // the namespace (or any namespace if that argument is empty)
 func (c *Cluster) AllWorkloads(namespace string) (res []cluster.Workload, err error) {
-	namespaces, err := c.getAllowedNamespaces()
+	namespaces, err := c.getAllowedAndExistingNamespaces()
 	if err != nil {
 		return nil, errors.Wrap(err, "getting namespaces")
 	}
@@ -217,7 +217,7 @@ func (c *Cluster) Ping() error {
 func (c *Cluster) Export() ([]byte, error) {
 	var config bytes.Buffer
 
-	namespaces, err := c.getAllowedNamespaces()
+	namespaces, err := c.getAllowedAndExistingNamespaces()
 	if err != nil {
 		return nil, errors.Wrap(err, "getting namespaces")
 	}
@@ -266,11 +266,11 @@ func (c *Cluster) PublicSSHKey(regenerate bool) (ssh.PublicKey, error) {
 	return publicKey, nil
 }
 
-// getAllowedNamespaces returns a list of namespaces that the Flux instance is expected
-// to have access to and can look for resources inside of.
+// getAllowedAndExistingNamespaces returns a list of existing namespaces that
+// the Flux instance is expected to have access to and can look for resources inside of.
 // It returns a list of all namespaces unless an explicit list of allowed namespaces
 // has been set on the Cluster instance.
-func (c *Cluster) getAllowedNamespaces() ([]apiv1.Namespace, error) {
+func (c *Cluster) getAllowedAndExistingNamespaces() ([]apiv1.Namespace, error) {
 	if len(c.allowedNamespaces) > 0 {
 		nsList := []apiv1.Namespace{}
 		for _, name := range c.allowedNamespaces {
diff --git a/cluster/kubernetes/kubernetes_test.go b/cluster/kubernetes/kubernetes_test.go
index 0d80fd56ad..4e16c6c290 100644
--- a/cluster/kubernetes/kubernetes_test.go
+++ b/cluster/kubernetes/kubernetes_test.go
@@ -28,7 +28,7 @@ func testGetAllowedNamespaces(t *testing.T, namespace []string, expected []strin
 	client := ExtendedClient{coreClient: clientset}
 	c := NewCluster(client, nil, nil, log.NewNopLogger(), namespace, []string{})
 
-	namespaces, err := c.getAllowedNamespaces()
+	namespaces, err := c.getAllowedAndExistingNamespaces()
 	if err != nil {
 		t.Errorf("The error should be nil, not: %s", err)
 	}
diff --git a/cluster/kubernetes/sync.go b/cluster/kubernetes/sync.go
index b412e62c6e..83897ee87c 100644
--- a/cluster/kubernetes/sync.go
+++ b/cluster/kubernetes/sync.go
@@ -257,8 +257,8 @@ func (c *Cluster) getAllowedResourcesBySelector(selector string) (map[string]*ku
 
 func (c *Cluster) listAllowedResources(
 	namespaced bool, gvr schema.GroupVersionResource, options meta_v1.ListOptions) ([]unstructured.Unstructured, error) {
-	if !namespaced || len(c.allowedNamespaces) == 0 {
-		// The resource is not namespaced or all the namespaces are allowed
+	if !namespaced {
+		// The resource is not namespaced
 		resourceClient := c.client.dynamicClient.Resource(gvr)
 		data, err := resourceClient.List(options)
 		if err != nil {
@@ -268,9 +268,13 @@ func (c *Cluster) listAllowedResources(
 	}
 
 	// List resources only from the allowed namespaces
+	namespaces, err := c.getAllowedAndExistingNamespaces()
+	if err != nil {
+		return nil, err
+	}
 	var result []unstructured.Unstructured
-	for _, ns := range c.allowedNamespaces {
-		data, err := c.client.dynamicClient.Resource(gvr).Namespace(ns).List(options)
+	for _, ns := range namespaces {
+		data, err := c.client.dynamicClient.Resource(gvr).Namespace(ns.Name).List(options)
 		if err != nil {
 			return result, err
 		}
@@ -286,11 +290,7 @@ func (c *Cluster) getAllowedGCMarkedResourcesInSyncSet(syncSetName string) (map[
 	}
 	allowedSyncSetGCMarkedResources := map[string]*kuberesource{}
 	for resID, kres := range allGCMarkedResources {
-		// Discard disallowed resources
-		if !c.IsAllowedResource(kres.ResourceID()) {
-			continue
-		}
-		// Discard resources out of the Sync Set
+		// Discard resources whose mark doesn't match their resource ID
 		if kres.GetGCMark() != makeGCMark(syncSetName, resID) {
 			continue
 		}