diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index ef7f78e197..c4d5b5dac1 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -42,11 +42,13 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 			continue
 		}
 
+		startTime := time.Now()
 		if !matchAdmissionInfo(rule, policyContext.AdmissionInfo) {
 			glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
 				rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)
 			continue
 		}
+		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 5c629da5ad..44c7f49bda 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -49,11 +49,13 @@ func Validate(policyContext PolicyContext) (response EngineResponse) {
 			continue
 		}
 
+		startTime := time.Now()
 		if !matchAdmissionInfo(rule, policyContext.AdmissionInfo) {
 			glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
 				rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)
 			continue
 		}
+		glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		// TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
diff --git a/pkg/kyverno/apply/apply.go b/pkg/kyverno/apply/apply.go
index 36af12ce40..d8ff92a445 100644
--- a/pkg/kyverno/apply/apply.go
+++ b/pkg/kyverno/apply/apply.go
@@ -105,7 +105,7 @@ func applyPolicyOnRaw(policy *kyverno.ClusterPolicy, rawResource []byte, gvk *me
 	}
 	//TODO check if the kind information is present resource
 	// Process Mutation
-	engineResponse := engine.Mutate(*policy, *resource)
+	engineResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, Resource: *resource})
 	if !engineResponse.IsSuccesful() {
 		glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
 		for _, r := range engineResponse.PolicyResponse.Rules {
@@ -115,7 +115,7 @@ func applyPolicyOnRaw(policy *kyverno.ClusterPolicy, rawResource []byte, gvk *me
 		glog.Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, gvk.Kind, rname, rns)
 
 		// Process Validation
-		engineResponse := engine.Validate(*policy, *resource)
+		engineResponse := engine.Validate(engine.PolicyContext{Policy: *policy, Resource: *resource})
 
 		if !engineResponse.IsSuccesful() {
 			glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 47766d0e7c..3548bfea85 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -177,6 +177,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
 
 	// TODO(shuting): replace containRBACinfo after policy cache lookup is introduced
 	// getRoleRef only if policy has roles/clusterroles defined
+	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
@@ -185,6 +186,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
 				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
 		}
 	}
+	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// MUTATION
 	ok, patches, msg := ws.HandleMutation(request, policies, roles, clusterRoles)