Packetbeat docker image 'help' and 'setup' subcommands fail without --cap-add=NET_ADMIN

The packetbeat docker image normally requires that the flag --cap-add=NET_ADMIN be passed in order to capture packets. This is understandable and expected when packet capture is actually being performed, however the docker command fails if that permission is not provided even for the help and setup sub-commands:

/usr/local/bin/docker-entrypoint: line 13: /usr/share/packetbeat/packetbeat: Operation not permitted

Is there any way to execute the setup command without providing the docker container with elevated privileges? I want to perform the setup in a cluster with limited access and don't want to give the container these permissions where it should not be necessary.