diff --git a/docs/yml.md b/docs/yml.md
index 059d165ca..3096ba835 100644
--- a/docs/yml.md
+++ b/docs/yml.md
@@ -142,6 +142,20 @@ dns:
   - 9.9.9.9
 ```
 
+### cap_add, cap_drop
+
+Add or drop container capabilities.
+See `man 7 capabilities` for a full list.
+
+```
+cap_add:
+  - ALL
+
+cap_drop:
+  - NET_ADMIN
+  - SYS_ADMIN
+```
+
 ### working\_dir, entrypoint, user, hostname, domainname, mem\_limit, privileged, restart
 
 Each of these is a single value, analogous to its [docker run](https://docs.docker.com/reference/run/) counterpart.
diff --git a/fig/service.py b/fig/service.py
index 1685111ce..645b6adfc 100644
--- a/fig/service.py
+++ b/fig/service.py
@@ -15,7 +15,7 @@ from .progress_stream import stream_output, StreamOutputError
 log = logging.getLogger(__name__)
 
 
-DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'domainname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'entrypoint', 'privileged', 'volumes_from', 'net', 'working_dir', 'restart']
+DOCKER_CONFIG_KEYS = ['image', 'command', 'hostname', 'domainname', 'user', 'detach', 'stdin_open', 'tty', 'mem_limit', 'ports', 'environment', 'dns', 'volumes', 'entrypoint', 'privileged', 'volumes_from', 'net', 'working_dir', 'restart', 'cap_add', 'cap_drop']
 DOCKER_CONFIG_HINTS = {
     'link'      : 'links',
     'port'      : 'ports',
@@ -261,6 +261,8 @@ class Service(object):
         privileged = options.get('privileged', False)
         net = options.get('net', 'bridge')
         dns = options.get('dns', None)
+        cap_add = options.get('cap_add', None)
+        cap_drop = options.get('cap_drop', None)
 
         restart = parse_restart_spec(options.get('restart', None))
 
@@ -272,7 +274,9 @@ class Service(object):
             privileged=privileged,
             network_mode=net,
             dns=dns,
-            restart_policy=restart
+            restart_policy=restart,
+            cap_add=cap_add,
+            cap_drop=cap_drop,
         )
         return container
 
@@ -379,7 +383,7 @@ class Service(object):
             container_options['image'] = self._build_tag_name()
 
         # Delete options which are only used when starting
-        for key in ['privileged', 'net', 'dns', 'restart']:
+        for key in ['privileged', 'net', 'dns', 'restart', 'cap_add', 'cap_drop']:
             if key in container_options:
                 del container_options[key]
 
diff --git a/tests/integration/service_test.py b/tests/integration/service_test.py
index 117cf99d6..9d3e0b126 100644
--- a/tests/integration/service_test.py
+++ b/tests/integration/service_test.py
@@ -376,6 +376,16 @@ class ServiceTest(DockerClientTestCase):
         self.assertEqual(container['HostConfig']['RestartPolicy']['Name'], 'on-failure')
         self.assertEqual(container['HostConfig']['RestartPolicy']['MaximumRetryCount'], 5)
 
+    def test_cap_add_list(self):
+        service = self.create_service('web', cap_add=['SYS_ADMIN', 'NET_ADMIN'])
+        container = service.start_container().inspect()
+        self.assertEqual(container['HostConfig']['CapAdd'], ['SYS_ADMIN', 'NET_ADMIN'])
+
+    def test_cap_drop_list(self):
+        service = self.create_service('web', cap_drop=['SYS_ADMIN', 'NET_ADMIN'])
+        container = service.start_container().inspect()
+        self.assertEqual(container['HostConfig']['CapDrop'], ['SYS_ADMIN', 'NET_ADMIN'])
+
     def test_working_dir_param(self):
         service = self.create_service('container', working_dir='/working/dir/sample')
         container = service.create_container().inspect()