Port knocking isn't security theater, in that it is a layer of obfuscation and (weak) authentication. I consider it another weak "noise decreased" like moving SSH to a nonstandard port. Your sshd logs will be quieter making analysis easier.