(Documentation) Emphasize security recommendations early in the installation process

[ADubhlaoich]

Is your feature request related to a problem? Please describe.
As a user, I want to know best practices earlier, so that I can secure my cluster sooner.

Describe the solution you'd like
When I am following critical instructions for setup and configuration steps, I want to be informed of best practices.

Describe alternatives you've considered
I think that some of these best practices could theoretically be enabled by default, but some of the best practices relate to specific use cases. On first run/deployment there could be a series of checks and subsequent recommendations, but that gets into the scope of code changes instead of just documentation.

Additional context
This issue was inspired by the current Security documentation page under Configuration. I don't think it's very well written, and it struck me that if something is of enough importance to be recommended, the information should be juxtaposed with where it would be relevant.

[ADubhlaoich]

I'm already working on this issue: trying to get into the habit of defining problems publicly before I work on them, following the open source ethos.

There's a number of significantly sore thumbs in the existing page:

• Incorrect usage of the software name: Lots of "the" Ingress Controller. You can guess in context, but there's a few out there.
• Marketing/product management tone: It'll give most regular users an ick feeling.
• Passive tone: If we feel strongly enough to mention anything, it should be imperative. Instructions are direct, recommendations are indirect.
• Unnecessary words: There are too many "promise" sentences and unqualified superlatives.

The game plan is to fix the grammar and tone, strip the unnecessary words, then identify where the critical information could be inserted into other existing documentation as part of the critical paths.

There's something to be said about a reference document for securing a cluster, but that feels like it could be part of a general purpose "Design recommendations" page that could be part of the Overview.

[ADubhlaoich]

Pushed out an initial PR for this effort.

A lot of it was removing unnecessary sentences, and updating links - I plan to re-order some of the sections, too.

Since I added a link to the Prometheus documentation, I noticed that it requires some work as well.

I'll have to ask some of the team what the relevancy of NGINX snippets are for security recommendations, because the block of text that currently exists just seems to be a dumped in copy & paste from the existing snippets configuration document.

[ADubhlaoich]

Took the working PR out of draft: I will socialize it for review with the team this week.

There's further refinement that could be done with the entire documentation set with regard to security, but I don't want to blow the scope of that PR up. I'm going to check where the document is linked from: it should be mentioned as part of the deployment process.

If it's something a reader only finds because they've had an incident, then it's already too late for them.

[ADubhlaoich]

@vepatel Any insight on other areas of the docs that recommendations could be made early?

It seems like most of the time the most secure option is suggested anyway: the actual security recommendations page just stuck out like a sore thumb, but I addressed that in a previous PR.