diff --git a/apis/kubedb/v1alpha2/kafka_webhook.go b/apis/kubedb/v1alpha2/kafka_webhook.go
index af05f17089..774504f339 100644
--- a/apis/kubedb/v1alpha2/kafka_webhook.go
+++ b/apis/kubedb/v1alpha2/kafka_webhook.go
@@ -86,6 +86,20 @@ func (k *Kafka) ValidateDelete() error {
 func (k *Kafka) ValidateCreateOrUpdate() error {
 	var allErr field.ErrorList
 	// TODO(user): fill in your validation logic upon object creation.
+	if k.Spec.DisableSecurity {
+		if k.Spec.EnableSSL {
+			allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("enableSSL"),
+				k.Name,
+				".spec.enableSSL can't be true, if .spec.disableSecurity is enabled"))
+		}
+	}
+	if k.Spec.EnableSSL {
+		if k.Spec.TLS == nil {
+			allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("enableSSL"),
+				k.Name,
+				".spec.tls can't be nil, if .spec.enableSSL is true"))
+		}
+	}
 	if k.Spec.Topology != nil {
 		if k.Spec.Topology.Controller == nil {
 			allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("topology").Child("controller"),