Docker containers run with the following capabilities by default:

Capability Description
SETPCAP Allow a process to change it’s own capabilities set (within the set it is already allowed). Should not be dangerous in practice.
MKNOD Allows creation of special devices. Almost all containers will receive the devices they need automatically, so this is almost never needed.
AUDIT_WRITE Allow the container to write records to the underlying kernel auditing log. This is generally used for things like ssh login. It is a better practice to keep all container logs within the container and drain them, rather than allow the container to write to the host log files.
CHOWN Allow the container process to change file permissions. This should generally never be needed in production.
NET_RAW Allows RAW and PACKET sockets, which can be used to spy on networks or create nasty packets. Some applications may need this, but most won’t.
DAC_OVERRIDE Allows the root user to bypass normal file permission checks. No container should ever need this.
FOWNER Bypass permission checks on operations that normally require the UID of the process to match the UID of the file.
FSETID Don’t clear set-user-ID and set-group-ID permission bits when a file is modified. This should only be needed by installations, so generally not in production. Allowing this can let a user modify privileged programs.
KILL Allow the root user to send kill signals to non-root processes. Not generally needed if keeping one container per process, but not too dangerous in general.
SETUID Allows running of setuid binaries, which allows a process to change it’s effective user id. This is required for some processes that require privileged ports (less than 1024) and by some processes like Apache to start. It should only be given to containers that need it.
SETGID Just like setuid above, but for group ids.
NET_BIND_SERVICE Bind to ports less than 1024. Enable this if your container runs a service that listens in the this port range only.
SYS_CHROOT Allows use of the chroot command. Enable only if your process actively uses chroot to change the root directory.
SETFCAP Allows the container to set file capabilities. Sometimes this is needed during a software install, but generally should not be needed by a running container in production.

It’s best to drop all of these and only selectively add the specific capabilities needed. This takes a little more management overhead, because you may have to work with the application team to determine what is really needed.

# docker run --cap-drop=all my_container

More information here