diff --git a/pkg/webhook/pod/pod_validating_webhook.go b/pkg/webhook/pod/pod_validating_webhook.go
index 7e7262d20..46f5bd603 100644
--- a/pkg/webhook/pod/pod_validating_webhook.go
+++ b/pkg/webhook/pod/pod_validating_webhook.go
@@ -12,6 +12,8 @@ import (
 
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -19,6 +21,12 @@ import (
 	"go.goms.io/fleet/pkg/utils"
 )
 
+const (
+	deniedPodResource  = "Pod creation is disallowed in the fleet hub cluster"
+	allowedPodResource = "Pod creation is allowed in the fleet hub cluster"
+	podDeniedFormat    = "Pod %s/%s creation is disallowed in the fleet hub cluster"
+)
+
 var (
 	// ValidationPath is the webhook service path which admission requests are routed to for validating Pod resources.
 	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, corev1.SchemeGroupVersion.Group, corev1.SchemeGroupVersion.Version, "pod")
@@ -37,15 +45,19 @@ type podValidator struct {
 
 // Handle podValidator denies a pod if it is not created in the system namespaces.
 func (v *podValidator) Handle(_ context.Context, req admission.Request) admission.Response {
+	namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
 	if req.Operation == admissionv1.Create {
+		klog.V(2).InfoS("handling pod resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
 		pod := &corev1.Pod{}
 		err := v.decoder.Decode(req, pod)
 		if err != nil {
 			return admission.Errored(http.StatusBadRequest, err)
 		}
 		if !utils.IsReservedNamespace(pod.Namespace) {
-			return admission.Denied(fmt.Sprintf("Pod %s/%s creation is disallowed in the fleet hub cluster", pod.Namespace, pod.Name))
+			klog.V(2).InfoS(deniedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
+			return admission.Denied(fmt.Sprintf(podDeniedFormat, pod.Namespace, pod.Name))
 		}
 	}
+	klog.V(3).InfoS(allowedPodResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
 	return admission.Allowed("")
 }
diff --git a/pkg/webhook/replicaset/replicaset_validating_webhook.go b/pkg/webhook/replicaset/replicaset_validating_webhook.go
index ce6685f05..11876f42f 100644
--- a/pkg/webhook/replicaset/replicaset_validating_webhook.go
+++ b/pkg/webhook/replicaset/replicaset_validating_webhook.go
@@ -12,6 +12,8 @@ import (
 
 	admissionv1 "k8s.io/api/admission/v1"
 	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -19,6 +21,12 @@ import (
 	"go.goms.io/fleet/pkg/utils"
 )
 
+const (
+	deniedReplicaSetResource  = "ReplicaSet creation is disallowed in the fleet hub cluster"
+	allowedReplicaSetResource = "ReplicaSet creation is allowed in the fleet hub cluster"
+	replicaSetDeniedFormat    = "ReplicaSet %s/%s creation is disallowed in the fleet hub cluster."
+)
+
 var (
 	// ValidationPath is the webhook service path which admission requests are routed to for validating ReplicaSet resources.
 	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, appsv1.SchemeGroupVersion.Group, appsv1.SchemeGroupVersion.Version, "replicaset")
@@ -37,14 +45,18 @@ func Add(mgr manager.Manager) error {
 
 // Handle replicaSetValidator denies all creation requests.
 func (v *replicaSetValidator) Handle(_ context.Context, req admission.Request) admission.Response {
+	namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
 	if req.Operation == admissionv1.Create {
+		klog.V(2).InfoS("handling replicaSet resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
 		rs := &appsv1.ReplicaSet{}
 		if err := v.decoder.Decode(req, rs); err != nil {
 			return admission.Errored(http.StatusBadRequest, err)
 		}
 		if !utils.IsReservedNamespace(rs.Namespace) {
-			return admission.Denied(fmt.Sprintf("ReplicaSet %s/%s creation is disallowed in the fleet hub cluster.", rs.Namespace, rs.Name))
+			klog.V(2).InfoS(deniedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
+			return admission.Denied(fmt.Sprintf(replicaSetDeniedFormat, rs.Namespace, rs.Name))
 		}
 	}
+	klog.V(3).InfoS(allowedReplicaSetResource, "user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "operation", req.Operation, "GVK", req.RequestKind, "subResource", req.SubResource, "namespacedName", namespacedName)
 	return admission.Allowed("")
 }