diff --git a/api/v1/applicationlayer_types.go b/api/v1/applicationlayer_types.go
index fe3d218da7..6ca3fff906 100644
--- a/api/v1/applicationlayer_types.go
+++ b/api/v1/applicationlayer_types.go
@@ -24,11 +24,13 @@ import (
 type ApplicationLayerSpec struct {
 	// WebApplicationFirewall controls whether or not ModSecurity enforcement is enabled for the cluster.
 	// When enabled, Services may opt-in to having ingress traffic examed by ModSecurity.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
 	WebApplicationFirewall *WAFStatusType `json:"webApplicationFirewall,omitempty"`
 	// Specification for application layer (L7) log collection.
 	LogCollection *LogCollectionSpec `json:"logCollection,omitempty"`
 	// Application Layer Policy controls whether or not ALP enforcement is enabled for the cluster.
 	// When enabled, NetworkPolicies with HTTP Match rules may be defined to opt-in workloads for traffic enforcement on the application layer.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
 	ApplicationLayerPolicy *ApplicationLayerPolicyStatusType `json:"applicationLayerPolicy,omitempty"`
 	// User-configurable settings for the Envoy proxy.
 	EnvoySettings *EnvoySettings `json:"envoy,omitempty"`
@@ -72,6 +74,7 @@ type LogCollectionSpec struct {
 	// This setting enables or disable log collection.
 	// Allowed values are Enabled or Disabled.
 	// +optional
+	// +kubebuilder:validation:Enum=Enabled;Disabled
 	CollectLogs *LogCollectionStatusType `json:"collectLogs,omitempty"`
 
 	// Interval in seconds for sending L7 log information for processing.
diff --git a/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml b/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml
index b816624832..3f18e99988 100644
--- a/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml
+++ b/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml
@@ -42,6 +42,9 @@ spec:
                 description: |-
                   Application Layer Policy controls whether or not ALP enforcement is enabled for the cluster.
                   When enabled, NetworkPolicies with HTTP Match rules may be defined to opt-in workloads for traffic enforcement on the application layer.
+                enum:
+                - Enabled
+                - Disabled
                 type: string
               envoy:
                 description: User-configurable settings for the Envoy proxy.
@@ -239,6 +242,9 @@ spec:
                     description: |-
                       This setting enables or disable log collection.
                       Allowed values are Enabled or Disabled.
+                    enum:
+                    - Enabled
+                    - Disabled
                     type: string
                   logIntervalSeconds:
                     description: |-
@@ -259,6 +265,9 @@ spec:
                 description: |-
                   WebApplicationFirewall controls whether or not ModSecurity enforcement is enabled for the cluster.
                   When enabled, Services may opt-in to having ingress traffic examed by ModSecurity.
+                enum:
+                - Enabled
+                - Disabled
                 type: string
             type: object
           status: