Propper check for unleash enabled configuration options

.mise-tasks/test/_default

@@ -4,6 +4,19 @@
 
 set -e
 
+# Export Docker environment variables for colima (if not already set)
+if [ -z "$DOCKER_HOST" ]; then
+	if [ -S "$HOME/.colima/default/docker.sock" ]; then
+		export DOCKER_HOST="unix://$HOME/.colima/default/docker.sock"
+		# For testcontainers to work with colima, we need to tell it where the docker socket is
+		export TESTCONTAINERS_DOCKER_SOCKET_OVERRIDE="$HOME/.colima/default/docker.sock"
+		# This allows testcontainers to use the host docker socket directly
+		export TESTCONTAINERS_HOST_OVERRIDE="localhost"
+		# Disable the Ryuk container that manages test container cleanup with colima
+		export TESTCONTAINERS_RYUK_DISABLED="true"
+	fi
+fi
+
 # shellcheck disable=SC2154
 if [ "$usage_coverage" = "true" ]; then
 	rm -f hack/coverprofile.txt

internal/kubernetes/watcher/object_manager.go

@@ -1,6 +1,7 @@
 package watcher
 
 import (
+	"context"
 	"fmt"
 	"time"
 
@@ -78,6 +79,16 @@ func (c *clusterManager) createInformer(obj runtime.Object, gvr *schema.GroupVer
 			c.log.WithError(err).WithField("resource", gvr.String()).Error("resource not available in cluster")
 			return nil, *gvr, fmt.Errorf("resource not available in cluster")
 		}
+
+		// Also verify we have permission to list the resource by doing a test list with limit=1
+		// This prevents errors at runtime when the informer tries to watch resources we can't access
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		_, err = c.client.Resource(*gvr).List(ctx, v1.ListOptions{Limit: 1})
+		if err != nil {
+			c.log.WithError(err).WithField("resource", gvr.String()).Warn("no permission to list resource, skipping watcher")
+			return nil, *gvr, fmt.Errorf("no permission to list resource: %w", err)
+		}
 	}
 
 	if lblSelector == "" {