Istio请求认证-获得结果为404的Cors

这是我的请求认证，

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name:prod-authenticator
namespace: prod
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: https://securetoken.google.com/<project-id>
jwksUri: https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

My AuthorizationPolicy is this，

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name:prod-authorized-api
namespace: prod
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
- to:
- operation:
paths: ["/user/ping"]

下面的命令可以帮助我排除没有有效令牌的健康路径(/user/ping)。

My Virtual Service is

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: user-svc-vs
namespace: prod
spec:
hosts:
- gateway.xxxx.com
gateways:
- istio-system/prod-gateway
http:
- match:
- uri:
prefix: /pop
route:
- destination:
host:user-svc.prod.svc.cluster.local 

但是当检查时，我可以看到只有健康api得到200，其余的都得到404，当检查浏览器时，我看到

从origin 'https://<>'访问'https://' '的XMLHttpRequest已被CORS策略阻止:对preflight请求的响应未通过访问控制检查:请求的资源上不存在'Access- control - allow - origin '标头。

在虚拟服务中，我试图添加" corsppolicy "

sample virtual service try example is

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
corsPolicy:
allowOrigins:
- exact: https://example.com
allowMethods:
- POST
- GET
allowCredentials: false
allowHeaders:
- X-Foo-Bar
maxAge: "24h"

<<以上不是我们的例子，但我已经复制了，但我应用了我目前的环境，但仍然没有运气!有谁能帮我吗，在这上面挣扎了一整天:)