diff --git a/acrpull/Makefile b/acrpull/Makefile
index 996892a2e..28b8e7e1d 100644
--- a/acrpull/Makefile
+++ b/acrpull/Makefile
@@ -1,8 +1,10 @@
 -include ../setup-env.mk
+-include ../helm-cmd.mk
+HELM_CMD ?= helm upgrade --install
 
 deploy:
 	kubectl create namespace acrpull --dry-run=client -o json | kubectl apply -f - && \
-	helm upgrade --install ${HELM_DRY_RUN} acrpull \
+	${HELM_CMD} acrpull \
 		deploy/helm/acrpull/ \
 		--set image=mcr.microsoft.com/aks/msi-acrpull@${ACRPULL_DIGEST} \
 		--namespace acrpull
diff --git a/acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml b/acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml
index efabf5cc3..6e444be51 100644
--- a/acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml
+++ b/acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml
@@ -17,7 +17,34 @@ spec:
     singular: acrpullbinding
   scope: Namespaced
   versions:
-  - name: v1beta2
+  - additionalPrinterColumns:
+    - description: FQDN for the ACR.
+      jsonPath: .spec.acr.server
+      name: Server
+      type: string
+    - description: Scope for the ACR token.
+      jsonPath: .spec.acr.scope
+      name: Scope
+      priority: 1
+      type: string
+    - description: ServiceAccount to which the pull credentials are attached.
+      jsonPath: .spec.serviceAccountName
+      name: Target
+      type: string
+    - description: Time the token was last refreshed.
+      jsonPath: .status.lastTokenRefreshTime
+      name: Last Refresh
+      priority: 1
+      type: date
+    - description: Time the current token expires.
+      jsonPath: .status.tokenExpirationTime
+      name: Expiration
+      type: date
+    - description: Errors encountered during token generation, if any.
+      jsonPath: .status.error
+      name: Error
+      type: string
+    name: v1beta2
     schema:
       openAPIV3Schema:
         description: AcrPullBinding is the Schema for the acrpullbindings API
@@ -136,12 +163,35 @@ spec:
                     description: WorkloadIdentity uses Azure Workload Identity to
                       authenticate with Azure.
                     properties:
+                      clientID:
+                        description: |-
+                          ClientID holds an optional client identifier of a federated identity.
+                          Specify this identifier if multiple identities are federated with the
+                          service account and the identity to use for image pulling is not the
+                          default identity stored in the service account's annotations. The
+                          client and tenant ID must be specified together.
+                        example: 1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
                       serviceAccountRef:
                         description: |-
                           ServiceAccountName specifies the name of the service account
                           that should be used when authenticating with WorkloadIdentity.
                         type: string
+                      tenantID:
+                        description: |-
+                          TenantID holds an optional tenant identifier of a federated identity.
+                          Specify this identifier if multiple identities are federated with the
+                          service account and the identity to use for image pulling is not the
+                          default identity stored in the service account's annotations. The
+                          client and tenant ID must be specified together.
+                        example: 72f988bf-86f1-41af-91ab-2d7cd011db47
+                        type: string
                     type: object
+                    x-kubernetes-validations:
+                    - message: custom client and tenant identifiers must be provided
+                        together, if at all
+                      rule: (has(self.clientID) && has(self.tenantID)) || (!has(self.clientID)
+                        && !has(self.tenantID))
                 type: object
                 x-kubernetes-validations:
                 - message: only one authentication type can be set
diff --git a/acrpull/deploy/helm/acrpull/templates/namespace.yaml b/acrpull/deploy/helm/acrpull/templates/namespace.yaml
deleted file mode 100644
index 5ffff4a27..000000000
--- a/acrpull/deploy/helm/acrpull/templates/namespace.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app.kubernetes.io/name: acrpull
-    app.kubernetes.io/managed-by: Helm
-  name: acrpull
diff --git a/acrpull/deploy/helm/acrpull/templates/podmonitor.yaml b/acrpull/deploy/helm/acrpull/templates/podmonitor.yaml
index 4ced676f8..3dec16cb3 100644
--- a/acrpull/deploy/helm/acrpull/templates/podmonitor.yaml
+++ b/acrpull/deploy/helm/acrpull/templates/podmonitor.yaml
@@ -1,4 +1,4 @@
-apiVersion: monitoring.coreos.com/v1
+apiVersion: azmonitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
   labels:
diff --git a/acrpull/deploy/helm/acrpull/templates/validatingadmissionpolicybindings.yaml b/acrpull/deploy/helm/acrpull/templates/validatingadmissionpolicybindings.yaml
index 6fe97342d..21d281b81 100644
--- a/acrpull/deploy/helm/acrpull/templates/validatingadmissionpolicybindings.yaml
+++ b/acrpull/deploy/helm/acrpull/templates/validatingadmissionpolicybindings.yaml
@@ -11,7 +11,7 @@ spec:
   paramRef:
     name: "admission-policies-controller-config"
     namespace: {{ .Values.namespace }}
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Allow"
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
@@ -26,7 +26,7 @@ spec:
   paramRef:
     name: "admission-policies-controller-config"
     namespace: {{ .Values.namespace }}
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Allow"
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
@@ -41,4 +41,4 @@ spec:
   paramRef:
     name: "admission-policies-controller-config"
     namespace: {{ .Values.namespace }}
-    parameterNotFoundAction: "Deny"
+    parameterNotFoundAction: "Allow"
diff --git a/acrpull/pipeline.yaml b/acrpull/pipeline.yaml
index a4ea72131..90e1a843a 100644
--- a/acrpull/pipeline.yaml
+++ b/acrpull/pipeline.yaml
@@ -1,5 +1,5 @@
 $schema: "pipeline.schema.v1"
-serviceGroup: Microsoft.Azure.ARO.HCP.RP.Frontend
+serviceGroup: Microsoft.Azure.ARO.HCP.ACRPull
 rolloutName: ACRPull Controller Rollout
 resourceGroups:
   - name: {{ .svc.rg }}
@@ -11,8 +11,8 @@ resourceGroups:
         command: make deploy
         dryRun:
           variables:
-            - name: HELM_DRY_RUN
-              value: "--dry-run=server --debug"
+            - name: DRY_RUN
+              value: "true"
         variables:
           - name: ACRPULL_DIGEST
             configRef: acrPullImageDigest
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
index 5d59c95f8..9b768c0e0 100644
--- a/config/config.msft.yaml
+++ b/config/config.msft.yaml
@@ -18,6 +18,7 @@ defaults:
   subnetPrefix: "10.128.8.0/21"
   podSubnetPrefix: "10.128.64.0/18"
   aksName: aro-hcp-aks
+  acrPullImageDigest: sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca #v0.1.7
 
   # Hypershift
   hypershift:
diff --git a/config/config.yaml b/config/config.yaml
index e3b2a151b..4e9635b48 100644
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -16,7 +16,7 @@ defaults:
   subnetPrefix: "10.128.8.0/21"
   podSubnetPrefix: "10.128.64.0/18"
   aksName: aro-hcp-aks
-  acrPullImageDigest: sha256:9816561e7ee91a0814a482564d202288f2e5401ca2387a56641f144d04fa3535 #v0.1.5
+  acrPullImageDigest: sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca #v0.1.7
 
   # Hypershift
   hypershift:
diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
index cd17f7540..35d0fb935 100644
--- a/config/public-cloud-cs-pr.json
+++ b/config/public-cloud-cs-pr.json
@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "2c6ca254-36bd-43c8-a7a8-fe880bc2c489",
   "armHelperFPAPrincipalId": "bc17c825-6cf8-40d0-8bd6-5536a993115e",
diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
index 7bb2e0a73..53984cc7f 100644
--- a/config/public-cloud-dev.json
+++ b/config/public-cloud-dev.json
@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "2c6ca254-36bd-43c8-a7a8-fe880bc2c489",
   "armHelperFPAPrincipalId": "bc17c825-6cf8-40d0-8bd6-5536a993115e",
diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
index ca4546a82..d86eb90a5 100644
--- a/config/public-cloud-msft-int.json
+++ b/config/public-cloud-msft-int.json
@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "",
   "armHelperFPAPrincipalId": "",
diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
index 08e69f591..ed31cf3c4 100644
--- a/config/public-cloud-personal-dev.json
+++ b/config/public-cloud-personal-dev.json
@@ -1,4 +1,5 @@
 {
+  "acrPullImageDigest": "sha256:1d18e828564dcd509a8551185808549bd8bfddec1fcc4a2783914dc2103bc2ca",
   "aksName": "aro-hcp-aks",
   "armHelperClientId": "2c6ca254-36bd-43c8-a7a8-fe880bc2c489",
   "armHelperFPAPrincipalId": "bc17c825-6cf8-40d0-8bd6-5536a993115e",