JWT Authentication always 401

I use Authentication in istio1.1.3 and I apply an yaml like this:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "require-mtls-jwt-reglogverify"
  namespace: default
spec:
  targets:
  - name: account-rodata
    ports:
    - number: 8080
  - name: case-launching
    ports:
    - number: 8080
  - name: case-rodata
    port:
    - number: 8080
  - name: conference
    port:
    - number: 8080
  - name: conference-read
    port:
    - number: 8080
  origins:
  - jwt:
      issuer: "xxx"
      jwksUri: "sss"
      jwt_headers:
      - "key"
      trigger_rules:
      - excluded_paths:
        - exact: /api/base_register
        - exact: /actuator/health
        - exact: /api/search_case
        - exact: /api/passive_register
  principalBinding: USE_ORIGIN

But I find only the first exact is working.
After that I wanna delete the policy but after run kubectl delete -f , it’s still working(return 401).
I guess that there is another policy ruling this, But I can’t find it
policies.authentication.istio.io --all-namespaces return nothing
How can I know which policy respond the 401

But I find only the first exact is working.

What happens for other exact match in the rules?

After that I wanna delete the policy but after run kubectl delete -f , it’s still working(return 401).
I guess that there is another policy ruling this, But I can’t find it
policies.authentication.istio.io --all-namespaces return nothing
How can I know which policy respond the 401

It may take sometime for the delete to propagate, did you still see 401 even after 5 minutes? You can try meshpolicies.authentication.istio.io --all-namespaces to check the mesh-wide policy.

other exact match will get 401
kubectl get meshpolicies.authentication.istio.io --all-namespaces gets nothing.
I use kubectl delete -f xxx.yaml to delete all related yaml. But the same thing happened a day later.
Maybe It’s cache, but I don’t know how to flush it or restart which pod.