diff --git a/controllers/kustomization_controller_test.go b/controllers/kustomization_controller_test.go
index c8306cf5..20cc2368 100644
--- a/controllers/kustomization_controller_test.go
+++ b/controllers/kustomization_controller_test.go
@@ -200,7 +200,7 @@ var _ = Describe("KustomizationReconciler", func() {
 					Validation: "client",
 					Force:      false,
 					PostBuild: &kustomizev1.PostBuild{
-						Substitute: map[string]string{"region": "eu-central-1"},
+						Substitute: map[string]string{"_Region": "eu-central-1"},
 						SubstituteFrom: []kustomizev1.SubstituteReference{
 							{
 								Kind: "ConfigMap",
@@ -274,7 +274,7 @@ metadata:
   namespace: test
   labels:
     environment: ${env:=dev}
-    region: "${region}" 
+    region: "${_Region}" 
     zone: "${zone}"
 `,
 					},
diff --git a/controllers/kustomization_varsub.go b/controllers/kustomization_varsub.go
index 2052eb90..67b3e840 100644
--- a/controllers/kustomization_varsub.go
+++ b/controllers/kustomization_varsub.go
@@ -3,6 +3,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/drone/envsubst"
@@ -15,6 +16,10 @@ import (
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 )
 
+// varsubRegex is the regular expression used to validate
+// the var names before substitution
+const varsubRegex = "^[_[:alpha:]][_[:alpha:][:digit:]]*$"
+
 // substituteVariables replaces the vars with their values in the specified resource.
 // If a resource is labeled or annotated with
 // 'kustomize.toolkit.fluxcd.io/substitute: disabled' the substitution is skipped.
@@ -68,6 +73,13 @@ func substituteVariables(
 
 	// run bash variable substitutions
 	if len(vars) > 0 {
+		r, _ := regexp.Compile(varsubRegex)
+		for v := range vars {
+			if !r.MatchString(v) {
+				return nil, fmt.Errorf("'%s' var name is invalid, must match '%s'", v, varsubRegex)
+			}
+		}
+
 		output, err := envsubst.Eval(string(resData), func(s string) string {
 			return vars[s]
 		})
diff --git a/docs/spec/v1beta1/kustomization.md b/docs/spec/v1beta1/kustomization.md
index 76b7a103..f88865d8 100644
--- a/docs/spec/v1beta1/kustomization.md
+++ b/docs/spec/v1beta1/kustomization.md
@@ -716,6 +716,10 @@ for [bash string replacement functions](https://github.com/drone/envsubst) e.g.:
 - `${var:position:length}`
 - `${var/substring/replacement}`
 
+Note that the name of a variable can contain only alphanumeric and underscore characters.
+The controller validates the var names using this regular expression:
+`^[_[:alpha:]][_[:alpha:][:digit:]]*$`.
+
 Assuming you have manifests with the following variables:
 
 ```yaml