For Essentials, we are receiving logs from instances, and are going to also push those logs into the Jenkins Project infrastructure.
As a "selected" plugin developer:
- I can read the logs sent by the Essentials instances running in the world.
- I cannot see any other logs than the Essentials ones (i.e. I do not see logs from any service like jenkins.io, ldap or anything else running in the Jenkins K8S cluster)
By "selected" above, we mean that not every plugin developers are going to be allowed to see those logs, for obvious security reasons.
Ideally, there should be a dedicated LDAP group in the Jenkins LDAP to offer this access to some people.
Ideally, to avoid multiplying systems, we would push logs from Essentials Error Telemetry service to Azure Logs Analytics too.
So, if we can give access to Logs Analytics, while still making visible only the logs that have for instance a "origin=evergreen" tag, that would be perfect. We would then just make sure to add this tag when pushing to the Azure Logs Analytics.