diff --git a/specification/resources/kubernetes/models/cluster.yml b/specification/resources/kubernetes/models/cluster.yml
index b4fd0d25b..44b4b4ad8 100644
--- a/specification/resources/kubernetes/models/cluster.yml
+++ b/specification/resources/kubernetes/models/cluster.yml
@@ -156,6 +156,8 @@ properties:
     description: A read-only boolean value indicating if a container registry is
       integrated with the cluster.
 
+  control_plane_firewall:
+    $ref: 'control_plane_firewall.yml'
 
 required:
   - name
diff --git a/specification/resources/kubernetes/models/cluster_update.yml b/specification/resources/kubernetes/models/cluster_update.yml
index 0ad741e76..5fcc7b02a 100644
--- a/specification/resources/kubernetes/models/cluster_update.yml
+++ b/specification/resources/kubernetes/models/cluster_update.yml
@@ -45,5 +45,8 @@ properties:
       is run in a highly available configuration in the cluster. Highly available
       control planes incur less downtime. The property cannot be disabled.
 
+  control_plane_firewall:
+    $ref: 'control_plane_firewall.yml'
+
 required:
   - name
diff --git a/specification/resources/kubernetes/models/control_plane_firewall.yml b/specification/resources/kubernetes/models/control_plane_firewall.yml
new file mode 100644
index 000000000..393c70454
--- /dev/null
+++ b/specification/resources/kubernetes/models/control_plane_firewall.yml
@@ -0,0 +1,18 @@
+type: object
+nullable: true
+description: An object specifying the control plane firewall for the Kubernetes cluster.
+  Control plane firewall is in early availability (invite only).
+properties:
+  enable:
+    type: boolean
+    description: Indicates whether the control plane firewall is enabled.
+    example: true
+
+  allowed_addresses:
+    type: array
+    description: An array of public addresses (IPv4 or CIDR) allowed to access the control plane.
+    items:
+      type: string
+    example:
+      - "1.2.3.4/32"
+      - "1.1.0.0/16"
diff --git a/specification/resources/kubernetes/responses/examples.yml b/specification/resources/kubernetes/responses/examples.yml
index 87fbd9cc4..05079644e 100644
--- a/specification/resources/kubernetes/responses/examples.yml
+++ b/specification/resources/kubernetes/responses/examples.yml
@@ -98,6 +98,11 @@ kubernetes_clusters_all:
       surge_upgrade: false
       registry_enabled: false
       ha: false
+      control_plane_firewall:
+        enabled: true
+        allowed_addresses:
+          - "1.2.3.4/32"
+          - "1.1.0.0/16"
     meta:
       total: 1
 
@@ -200,6 +205,11 @@ kubernetes_single:
       surge_upgrade: false
       registry_enabled: false
       ha: false
+      control_plane_firewall:
+        enabled: true
+        allowed_addresses:
+          - "1.2.3.4/32"
+          - "1.1.0.0/16"
 
 kubernetes_updated:
   value:
@@ -300,6 +310,11 @@ kubernetes_updated:
       surge_upgrade: true
       registry_enabled: false
       ha: false
+      control_plane_firewall:
+        enabled: true
+        allowed_addresses:
+          - "1.2.3.4/32"
+          - "1.1.0.0/16"
 
 kubernetes_clusters_create_basic_response:
   value:
@@ -365,6 +380,11 @@ kubernetes_clusters_create_basic_response:
       surge_upgrade: false
       registry_enabled: false
       ha: false
+      control_plane_firewall:
+        enabled: true
+        allowed_addresses:
+          - "1.2.3.4/32"
+          - "1.1.0.0/16"
 
 kubernetes_clusters_multi_pool_response:
   value:
@@ -467,6 +487,11 @@ kubernetes_clusters_multi_pool_response:
       surge_upgrade: false
       registry_enabled: false
       ha: false
+      control_plane_firewall:
+        enabled: true
+        allowed_addresses:
+          - "1.2.3.4/32"
+          - "1.1.0.0/16"
 
 kubernetes_options:
   value: