diff --git a/trino/justfile b/trino/justfile
index 5ef2c34..8fff008 100644
--- a/trino/justfile
+++ b/trino/justfile
@@ -8,12 +8,16 @@ export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external
 export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
 export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
 export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
-export TRINO_COORDINATOR_MEMORY := env("TRINO_COORDINATOR_MEMORY", "4Gi")
-export TRINO_COORDINATOR_CPU := env("TRINO_COORDINATOR_CPU", "2")
-export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "4G")
-export TRINO_WORKER_MEMORY := env("TRINO_WORKER_MEMORY", "4Gi")
-export TRINO_WORKER_CPU := env("TRINO_WORKER_CPU", "2")
-export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "4G")
+export TRINO_COORDINATOR_MEMORY_REQUEST := env("TRINO_COORDINATOR_MEMORY_REQUEST", "2Gi")
+export TRINO_COORDINATOR_MEMORY_LIMIT := env("TRINO_COORDINATOR_MEMORY_LIMIT", "8Gi")
+export TRINO_COORDINATOR_CPU_REQUEST := env("TRINO_COORDINATOR_CPU_REQUEST", "100m")
+export TRINO_COORDINATOR_CPU_LIMIT := env("TRINO_COORDINATOR_CPU_LIMIT", "4")
+export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "6G")
+export TRINO_WORKER_MEMORY_REQUEST := env("TRINO_WORKER_MEMORY_REQUEST", "2Gi")
+export TRINO_WORKER_MEMORY_LIMIT := env("TRINO_WORKER_MEMORY_LIMIT", "8Gi")
+export TRINO_WORKER_CPU_REQUEST := env("TRINO_WORKER_CPU_REQUEST", "100m")
+export TRINO_WORKER_CPU_LIMIT := env("TRINO_WORKER_CPU_LIMIT", "4")
+export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "6G")
 export TRINO_WORKER_COUNT := env("TRINO_WORKER_COUNT", "2")
 export TRINO_POSTGRES_ENABLED := env("TRINO_POSTGRES_ENABLED", "true")
 export TRINO_ICEBERG_ENABLED := env("TRINO_ICEBERG_ENABLED", "")
@@ -239,6 +243,10 @@ install:
     done
     echo "Installing Trino..."
     just create-namespace
+
+    kubectl label namespace ${TRINO_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted --overwrite
+
     just create-oauth-client
     just create-password-secret
 
diff --git a/trino/trino-values.gomplate.yaml b/trino/trino-values.gomplate.yaml
index 0455036..52a0a16 100644
--- a/trino/trino-values.gomplate.yaml
+++ b/trino/trino-values.gomplate.yaml
@@ -80,7 +80,7 @@ accessControl:
 
 resourceGroups: {}
 
-{{- if .Env.TRINO_POSTGRES_ENABLED }}
+{{- if eq .Env.TRINO_POSTGRES_ENABLED "true" }}
 catalogs:
   postgresql: |
     connector.name=postgresql
@@ -92,7 +92,7 @@ catalogs:
     connector.name=tpch
     tpch.splits-per-node=4
 
-{{- if .Env.TRINO_ICEBERG_ENABLED }}
+{{- if eq .Env.TRINO_ICEBERG_ENABLED "true" }}
   iceberg: |
     connector.name=iceberg
     iceberg.catalog.type=rest
@@ -164,11 +164,11 @@ coordinator:
 
   resources:
     requests:
-      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
-      cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
+      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY_REQUEST }}"
+      cpu: "{{ .Env.TRINO_COORDINATOR_CPU_REQUEST }}"
     limits:
-      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
-      cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
+      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY_LIMIT }}"
+      cpu: "{{ .Env.TRINO_COORDINATOR_CPU_LIMIT }}"
 
   livenessProbe:
     initialDelaySeconds: 30
@@ -228,11 +228,11 @@ worker:
 
   resources:
     requests:
-      memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
-      cpu: "{{ .Env.TRINO_WORKER_CPU }}"
+      memory: "{{ .Env.TRINO_WORKER_MEMORY_REQUEST }}"
+      cpu: "{{ .Env.TRINO_WORKER_CPU_REQUEST }}"
     limits:
-      memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
-      cpu: "{{ .Env.TRINO_WORKER_CPU }}"
+      memory: "{{ .Env.TRINO_WORKER_MEMORY_LIMIT }}"
+      cpu: "{{ .Env.TRINO_WORKER_CPU_LIMIT }}"
 
   livenessProbe:
     initialDelaySeconds: 30
@@ -276,9 +276,27 @@ initContainers: {}
 
 sidecarContainers: {}
 
+# Security context for Pod Security Standards (restricted)
 securityContext:
+  runAsNonRoot: true
   runAsUser: 1000
   runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
+  seccompProfile:
+    type: RuntimeDefault
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
 
 shareProcessNamespace:
   coordinator: false
@@ -298,7 +316,7 @@ env:
       secretKeyRef:
         name: trino-oauth-secret
         key: client_secret
-{{- if .Env.TRINO_POSTGRES_ENABLED }}
+{{- if eq .Env.TRINO_POSTGRES_ENABLED "true" }}
   - name: POSTGRES_USER
     valueFrom:
       secretKeyRef: