diff --git a/pkg/apis/flux/v1alpha1/validation/fluxconfig.go b/pkg/apis/flux/v1alpha1/validation/fluxconfig.go
index bd0d5510..f294f6d3 100644
--- a/pkg/apis/flux/v1alpha1/validation/fluxconfig.go
+++ b/pkg/apis/flux/v1alpha1/validation/fluxconfig.go
@@ -7,6 +7,7 @@ import (
 	v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apivalidation "k8s.io/apimachinery/pkg/api/validation"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 
@@ -125,6 +126,9 @@ func ValidateAdditionalSecretResources(additionalResources []fluxv1alpha1.Additi
 	}
 
 	for i, r := range additionalResources {
+		if ptr.Deref(r.TargetName, "") != "" && len(validation.IsDNS1123Subdomain(*r.TargetName)) > 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i).Child("targetName"), *r.TargetName, "must be a valid resource name"))
+		}
 		allErrs = append(allErrs, validateSecretResource(shoot.Spec.Resources, fldPath.Index(i).Child("name"), r.Name)...)
 	}
 
diff --git a/pkg/apis/flux/v1alpha1/validation/fluxconfig_test.go b/pkg/apis/flux/v1alpha1/validation/fluxconfig_test.go
index 4ae1ca03..8811d2df 100644
--- a/pkg/apis/flux/v1alpha1/validation/fluxconfig_test.go
+++ b/pkg/apis/flux/v1alpha1/validation/fluxconfig_test.go
@@ -354,6 +354,7 @@ var _ = Describe("FluxConfig validation", func() {
 					{Name: "valid"},
 					{Name: "wrong-kind"},
 					{Name: "no-ref"},
+					{Name: "valid", TargetName: ptr.To("invalid-name-")},
 				}
 				shoot.Spec.Resources = []gardencorev1beta1.NamedResourceReference{
 					{
@@ -374,14 +375,19 @@ var _ = Describe("FluxConfig validation", func() {
 				).To(ConsistOf(
 					PointTo(MatchFields(IgnoreExtras, Fields{
 						"Type":   Equal(field.ErrorTypeInvalid),
-						"Field":  Equal("root[1]"),
+						"Field":  Equal("root[1].name"),
 						"Detail": ContainSubstring("is not a secret"),
 					})),
 					PointTo(MatchFields(IgnoreExtras, Fields{
 						"Type":   Equal(field.ErrorTypeInvalid),
-						"Field":  Equal("root[2]"),
+						"Field":  Equal("root[2].name"),
 						"Detail": ContainSubstring("does not match any of the resource names"),
 					})),
+					PointTo(MatchFields(IgnoreExtras, Fields{
+						"Type":   Equal(field.ErrorTypeInvalid),
+						"Field":  Equal("root[3].targetName"),
+						"Detail": ContainSubstring("must be a valid resource name"),
+					})),
 				))
 			})
 		})