diff --git a/pkg/api/v1alpha1/cluster.go b/pkg/api/v1alpha1/cluster.go
index 578c43c2a8b17..bf14ae354bbfd 100644
--- a/pkg/api/v1alpha1/cluster.go
+++ b/pkg/api/v1alpha1/cluster.go
@@ -190,6 +190,7 @@ var clusterConfigValidations = []func(*Cluster) error{
 	validatePackageControllerConfiguration,
 	validateEksaVersion,
 	validateControlPlaneCertSANs,
+	validateControlPlaneApiServerExtraArgs,
 }
 
 // GetClusterConfig parses a Cluster object from a multiobject yaml file in disk
@@ -494,6 +495,16 @@ func validateControlPlaneCertSANs(cfg *Cluster) error {
 	return nil
 }
 
+func validateControlPlaneApiServerExtraArgs(clusterConfig *Cluster) error {
+	allowedFlags := map[string]string{"service-account-issuer": "", "service-account-jwks-uri": ""}
+	for k := range clusterConfig.Spec.ControlPlaneConfiguration.ApiServerExtraArgs {
+		if _, ok := allowedFlags[k]; !ok {
+			return fmt.Errorf("invalid ControlPlaneConfiguration.ApiServerExtraArgs; only 'service-account-issuer' and 'service-account-jwks-uri' flags are accepted currently")
+		}
+	}
+	return nil
+}
+
 func validateWorkerNodeGroups(clusterConfig *Cluster) error {
 	workerNodeGroupConfigs := clusterConfig.Spec.WorkerNodeGroupConfigurations
 	if len(workerNodeGroupConfigs) <= 0 {