diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index f6256a5a53..6c9debaca5 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -86,20 +86,20 @@ jobs:
       fail-fast: false
       matrix:
         target:
-        - version: v1.30.10
+        - version: v1.30.13
           ipFamily: ipv4
           profile: default
-        - version: v1.31.6
+        - version: v1.31.9
           ipFamily: ipv4
           profile: default
-        - version: v1.32.3
+        - version: v1.32.5
           ipFamily: ipv6  # only run ipv6 test on this version to save time
           profile: default
         # TODO: this's IPv4 first, need a way to test IPv6 first.
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: default
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: gateway-namespace-mode
     steps:
@@ -133,20 +133,20 @@ jobs:
       fail-fast: false
       matrix:
         target:
-        - version: v1.30.10
+        - version: v1.30.13
           ipFamily: ipv4
           profile: default
-        - version: v1.31.6
+        - version: v1.31.9
           ipFamily: ipv4
           profile: default
-        - version: v1.32.3
+        - version: v1.32.5
           ipFamily: ipv6  # only run ipv6 test on this version to save time
           profile: default
         # TODO: this's IPv4 first, need a way to test IPv6 first.
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: default
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: gateway-namespace-mode
     steps:
@@ -177,6 +177,8 @@ jobs:
         # This is not the limit of Envoy Gateway,
         # but the limit of running e2e tests in github CI.
         E2E_BACKEND_UPGRADE_QPS: "3000"
+        # Cluster trust bundle reach beta in v1.33, so we can enable it for v1.33 and later.
+        ENABLE_CLUSTER_TRUST_BUNDLE: ${{ startsWith(matrix.target.version, 'v1.33') }}
       run: make e2e
 
   benchmark-test:
diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml
index fbd1a5daf9..fab5b1eb04 100644
--- a/.github/workflows/experimental_conformance.yaml
+++ b/.github/workflows/experimental_conformance.yaml
@@ -23,22 +23,22 @@ jobs:
     strategy:
       matrix:
         target:
-          - version: v1.30.10
+          - version: v1.30.13
             ipFamily: ipv4
             profile: default
-          - version: v1.31.6
+          - version: v1.31.9
             ipFamily: ipv4
             profile: default
-          - version: v1.32.3
+          - version: v1.32.5
             # only run ipv6 test on this version to save time
             ipFamily: ipv6
             profile: default
           # TODO: this's IPv4 first, need a way to test IPv6 first.
-          - version: v1.33.0
+          - version: v1.33.1
             # only run dual test on latest version to save time
             ipFamily: dual
             profile: default
-          - version: v1.33.0
+          - version: v1.33.1
             # only run dual test on latest version to save time
             ipFamily: dual
             profile: gateway-namespace-mode
diff --git a/go.mod b/go.mod
index 2b54f2626f..6d66eebd25 100644
--- a/go.mod
+++ b/go.mod
@@ -262,7 +262,6 @@ require (
 	github.com/google/go-jsonnet v0.20.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
-	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
@@ -510,7 +509,7 @@ require (
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20250217160221-5e8256e05002 // indirect
 	sigs.k8s.io/controller-tools v0.17.3 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/kind v0.27.0 // indirect
+	sigs.k8s.io/kind v0.29.0 // indirect
 	sigs.k8s.io/kustomize/api v0.19.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 4163cf659f..4e44f6c2b2 100644
--- a/go.sum
+++ b/go.sum
@@ -662,8 +662,6 @@ github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8I
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg=
 github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
-github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 h1:SJ+NtwL6QaZ21U+IrK7d0gGgpjGGvd2kz+FzTHVzdqI=
-github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -1828,8 +1826,8 @@ sigs.k8s.io/gateway-api v1.3.1-0.20250527223622-54df0a899c1c/go.mod h1:d8NV8nJba
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4=
-sigs.k8s.io/kind v0.27.0 h1:PQ3f0iAWNIj66LYkZ1ivhEg/+Zb6UPMbO+qVei/INZA=
-sigs.k8s.io/kind v0.27.0/go.mod h1:RZVFmy6qcwlSWwp6xeIUv7kXCPF3i8MXsEXxW/J+gJY=
+sigs.k8s.io/kind v0.29.0 h1:3TpCsyh908IkXXpcSnsMjWdwdWjIl7o9IMZImZCWFnI=
+sigs.k8s.io/kind v0.29.0/go.mod h1:ldWQisw2NYyM6k64o/tkZng/1qQW7OlzcN5a8geJX3o=
 sigs.k8s.io/kubectl-validate v0.0.5-0.20241223122011-eb064d2f92d5 h1:hNBVJn2bLSAw6vfO2HATzBZlSPMuz5zm+uE+0N1hQx4=
 sigs.k8s.io/kubectl-validate v0.0.5-0.20241223122011-eb064d2f92d5/go.mod h1:ch1ZkZlHzATEduEoItW1Dro09kDMuUsbqFDCyfO0P6I=
 sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ=
diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh
index 4644116a38..251898eb3f 100755
--- a/tools/hack/create-cluster.sh
+++ b/tools/hack/create-cluster.sh
@@ -9,6 +9,7 @@ KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.33.0"}
 NUM_WORKERS=${NUM_WORKERS:-""}
 IP_FAMILY=${IP_FAMILY:-"ipv4"}
 CUSTOM_CNI=${CUSTOM_CNI:-"false"}
+ENABLE_CLUSTER_TRUST_BUNDLE=${ENABLE_CLUSTER_TRUST_BUNDLE:-"false"}
 
 if [ "$CUSTOM_CNI" = "true" ]; then
   CNI_CONFIG="disableDefaultCNI: true"
@@ -20,10 +21,10 @@ KIND_CFG=$(cat <<-EOM
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 runtimeConfig:
-  "certificates.k8s.io/v1alpha1/clustertrustbundles": "true"
+  certificates.k8s.io/v1beta1/clustertrustbundles: ${ENABLE_CLUSTER_TRUST_BUNDLE}
 featureGates:
-  "ClusterTrustBundle": true
-  "ClusterTrustBundleProjection": true
+  "ClusterTrustBundle": ${ENABLE_CLUSTER_TRUST_BUNDLE}
+  "ClusterTrustBundleProjection": ${ENABLE_CLUSTER_TRUST_BUNDLE}
 networking:
   ${CNI_CONFIG}
   ipFamily: ${IP_FAMILY}
@@ -50,6 +51,9 @@ fi
 if go tool kind get clusters | grep -q "${CLUSTER_NAME}"; then
   echo "Cluster ${CLUSTER_NAME} already exists."
 else
+  echo "Creating kind cluster ${CLUSTER_NAME} with the following configuration:"
+  echo "${KIND_CFG}"
+
 ## Create kind cluster.
 if [[ -z "${KIND_NODE_TAG}" ]]; then
   cat << EOF | go tool kind create cluster --name "${CLUSTER_NAME}" --config -