Fail2ban (as tool or as python process) doesn't require any capability to run, but...
It surely depend on goals for which you need it, and then on jails to protect, banning actions, etc. E. g. if you would need banactions to ban IPs via net-filter subsystem (iptables/nftables/etc) it would be surely NET_ADMIN. But if you do banning not IP-based, e. g. session/user/token only, for instance with something like nginx-block-map action, or your action just redirect requests to some proxy backend (honeypot) for certain IDs, or it is just an action notifying admin by e-mail by some failures, you'd not need it at all.
Also it is crucial to able to monitor logs and/or journal (but I don't think you'd need something besides the permissions for that, so don't know any capability here, excepting maybe DAC_READ_SEARCH).

Because normally fail2ban-server running (as systemd service or init-daemon) as root, it has basically all needed capabilities per definition, therefore it is not documented well.
However it is indeed possible to run it rootless, as unprivileged user, then it'd depend on many factors.

The same is surely valid for containers (if fail2ban shall run in a container, but for instance ban or monitor logs/journal outside of container), however this is a repository rather for bare metal and doesn't focus on containers either... There are some forks, like https://github.com/crazy-max/docker-fail2ban that may be probably better suitable for such question. Although the question is too generic for my taste and it really depends.