From fa2ec506a4401275eacb27fcd20820d51e1ff50a Mon Sep 17 00:00:00 2001
From: Benno Evers <benno.martin.evers@gmail.com>
Date: Fri, 21 Mar 2025 00:29:18 +0100
Subject: [PATCH] Clarify restrictions on capabilities

---
 content/reference/compose-file/services.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/content/reference/compose-file/services.md b/content/reference/compose-file/services.md
index 3b14cc48590b..4b35c6de5afc 100644
--- a/content/reference/compose-file/services.md
+++ b/content/reference/compose-file/services.md
@@ -217,9 +217,15 @@ as strings.
 
 ```yaml
 cap_add:
-  - ALL
+  - NET_BIND_SERVICE
 ```
 
+By default, the docker runtime drops all but a selected subset of capabilities when running a container as root.
+`cap_add` can be used to add additional capabilities to this set of retained capabilities.
+
+`cap_add` is only supported when running the container as root user. It is not possible to add ambient
+capabilities to non-privileged container with the `cap_add` directive.
+
 ### `cap_drop`
 
 `cap_drop` specifies container [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) to drop
@@ -227,8 +233,7 @@ as strings.
 
 ```yaml
 cap_drop:
-  - NET_ADMIN
-  - SYS_ADMIN
+  - ALL
 ```
 
 ### `cgroup`