CAP_NET_ADMIN is theoretically unsafe.

Suppose hypotetical situation when:

• there is RCE vulnerability in ClickHouse;
• the host has access to two networks: external network and internal company network;
• internal company network is protected by iptables and ClickHouse process cannot use it;
• but the combination of CAP_NET_ADMIN and RCE will allow to modify firewall rules and access company network.

But CAP_NET_ADMIN is needed to collect OS kernel metrics via NetLink interface. Look at TaskStatsInfoGetter.

Happy enough, we can also collect these metrics from procfs files inside /proc/thread-self/.
Example:

taskstats.cpu_delay_total : task->se.sum_exec_runtime : /proc/thread-self/schedstat
taskstats.blkio_delay_total : (как слагаемое) tsk->delays->blkio_delay + tsk->delays->swapin_delay : /proc/thread-self/stat
taskstats.cpu_run_virtual_total :  task->sched_info.run_delay : /proc/thread-self/schedstat
read_char : /proc/thread-self/io
write_char : /proc/thread-self/io
read_bytes : /proc/thread-self/io
write_bytes : /proc/thread-self/io

(this example is provided by Maxim Samoylov from Yandex OS kernel development team, also look at man proc)

We can keep the file descriptor open and obtain these metrics by pread.
Parsing of text files shouldn't take any significant resources.

We can use this option to collect metrics as a fallback if CAP_NET_ADMIN is not available.