Within Kubernetes there is no reason to run with the capability NET_BIND_SERVICE.

The helm charts already use non-standard ports by default.

The docker file add

RUN setcap cap_net_bind_service=-ep /usr/local/sbin/haproxy

And we should drop the capability NET_BIND_SERVICE from the manifests