I might have solved this.

There's an interaction (read: bug) in how Ruby handles temp directory creation and how Kubernetes handles ephemeral volumes. When the Pod is created, /tmp has permissions 777, which is world-writable without a sticky bit. That's sane in a container world, where only one user (or at least one security domain) will have access to that volume. Ruby, however, has a check that it won't use a world-writable path for tmpdir unless the sticky bit is set. That's sane in a non-container world.

To work around the issue, I added an extra init container and environment variable, in appropriate places in the Deployment:

spec:   
   containers:
   - command:
     - bash
     - /app/docker/prod/web
     env:
     - name: OPENPROJECT_DB_PASSWORD
       value: <REDACTED>
     - name: TMPDIR
       value: /tmp/openproject

   initContainers:
   - command:
     - bash
     - -c
     - mkdir /tmp/openproject
     image: docker.io/openproject/community:13-slim
     imagePullPolicy: Always
     name: mktmpdir
     resources: {}
     terminationMessagePath: /dev/termination-log
     terminationMessagePolicy: File
     volumeMounts:
     - mountPath: /tmp
       name: tmp

In my case, I was getting 500 errors when trying to create a Wiki page. I'm not too good with Ruby, so I haven't thoroughly traced the code, but I believe the root cause is that the Wiki pages (and perhaps file attachments) are written to a temp directory first, then moved to their final storage location. Since /tmp is world-writable and not sticky, and no better TMPDIR is set by default, Ruby crashes rather than permit something potentially insecure.

The extra init container simply creates a path /tmp/openproject, which is naturally not world-writable. That path is then used in the TMPDIR environment variable, allowing Ruby to confidently create temp directories.

Depending on the filesystem type used by your volumes, there could be word hurdle restrictions on write access.