diff --git a/lib/objects.py b/lib/objects.py
index 60c7aac04bf5575b74f6b28227ca8e0c84863cbc..6bae3a5d43398e3ebf49eb9b491667e89351e349 100644
--- a/lib/objects.py
+++ b/lib/objects.py
@@ -1616,6 +1616,12 @@ class Cluster(TaggableObject):
       # we can either make sure to upgrade the ipolicy always, or only
       # do it in some corner cases (e.g. missing keys); note that this
       # will break any removal of keys from the ipolicy dict
+      wrongkeys = frozenset(self.ipolicy.keys()) - constants.IPOLICY_ALL_KEYS
+      if wrongkeys:
+        # These keys would be silently removed by FillIPolicy()
+        msg = ("Cluster instance policy contains spourious keys: %s" %
+               utils.CommaJoin(wrongkeys))
+        raise errors.ConfigurationError(msg)
       self.ipolicy = FillIPolicy(constants.IPOLICY_DEFAULTS, self.ipolicy)
 
   @property
diff --git a/test/py/ganeti.objects_unittest.py b/test/py/ganeti.objects_unittest.py
index 9c4595d029bbe154e855f5db623daa805c510805..6f73e303d8ed8111457a725553a04e127ce8ff83 100755
--- a/test/py/ganeti.objects_unittest.py
+++ b/test/py/ganeti.objects_unittest.py
@@ -215,6 +215,13 @@ class TestClusterObject(unittest.TestCase):
     self.fake_cl.enabled_hypervisors = sorted(constants.HYPER_TYPES)
     self.assertEqual(self.fake_cl.primary_hypervisor, constants.HT_CHROOT)
 
+  def testUpgradeConfig(self):
+    # FIXME: This test is incomplete
+    cluster = objects.Cluster()
+    cluster.UpgradeConfig()
+    cluster = objects.Cluster(ipolicy={"unknown_key": None})
+    self.assertRaises(errors.ConfigurationError, cluster.UpgradeConfig)
+
 
 class TestOS(unittest.TestCase):
   ALL_DATA = [