If you want to use the add-and-drop capability feature, you will need to know how to use it. Here are some common use case examples:

1. To drop capabilities, run a command similar to the following:

       $ docker container run --cap-drop <CAPABILITY> <image> <command>

2. Similarly, to add capabilities, run a command similar to the following:

        $ docker container run --cap-add <CAPABILITY> <image> <command>

3. To remove setuid and setgid capabilities from the container so that it cannot run binaries, which have these bits set, run the following command:

    $ docker container run -it --cap-drop  setuid --cap-drop setgid    alpine ash

4. To add all the capabilities and just drop sys_admin, run the following command:

    $ docker container run -it --cap-add all --cap-drop sys_admin alpine ash