The rule ocp4-file-permissions-kube-controller-manager is contradicting itself. In the description of the rule is a command which can be used to correct the permission on the specified files. In the command, the permissions set are 0600 (rw-----). A little later is written that the permissions should be set to 0644 (-rw-rr-)

I have marked the places with ---> <---
~~~
oc get rules -n openshift-compliance -o yaml ocp4-file-permissions-kube-controller-manager
apiVersion: compliance.openshift.io/v1alpha1
checkType: Node
description: |-
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command:

---> $ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod*/kube-controller-manager-pod.yaml <----
id: xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager
instructions: |-
To check the permissions of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml,
you'll need to log into a node in the cluster.
As a user with administrator privileges, log into a node in the relevant pool:

$ oc debug node/$NODE_NAME

At the sh-4.4# prompt, run:

1. chroot /host
   ~~~

We need to remove this contradicting statement from the RULE.

Then,run the command:
$ ls l /etc/kubernetes/static-pod-resources/kube-controller-manager-pod*/kube-controller-manager-pod.yaml
----> If properly configured, the output should indicate the following permissions:
rw-rr- <----