I believe you could do this with something like Open Policy Agent. It has more policy driven language and capabilities for handling this sort of thing.
Here is a quick example policy (note: not tested etc.)
package kubernetes.admission
deny["User not permitted to create LoadBalancer service."] {
input.request.kind.kind = "Service"
input.request.operation = "CREATE"
input.request.object.spec.type = "LoadBalancer"
not lb_admins
}
lb_admins {
group := input.request.userInfo.groups[_]
lb_admin_groups[group]
}
lb_admin_groups = { "cluster-admins", "net-admins" }