In Spinnaker it’s possible to restrict access to accounts so that only selected users can manage them. That way we can ensure that random people cannot for example deploy/remove pods.
But what’s the correct way to protect the account that is used to deploy Spinnaker itself (AKA the primary account)? That’s also necessary because we don’t want to have random people messing with Spinnaker pods.
If we just restrict the account to a certain group then we need to instruct halyard somehow to “provide” some valid “Run as User” value for those built-in pipelines.
So how can we protect the primary account?