envoy: CORS headers missing from response

I’m trying to add a CORS policy to my only virtual_host in the ingress listener:

"route_config": {
"virtual_hosts": [
  {
    "routes": [
      {
        "route": {
          "cluster": "my-service",
          "timeout": "60s"
        },
        "match": {
          "prefix": "/"
        }
      }
    ],
    "cors": {
      "allow_headers": "Authorization,Content-Type, correlationid",
      "allow_origin": [
        "my-domain.com"
      ],
      "allow_methods": "GET, POST, PUT, HEAD, OPTIONS"
    },
...

Based on implementation details for CORS, having this should allow me to do an OPTIONS request and get a 200 OK back with the corresponding CORS headers in the response. However, it looks like my OPTIONS request is bypassing this filter altogether and getting to my application (which then responds with a 405 error):

# curl -v https://my-service -X OPTIONS -H 'Origin: foo.com'
*   Trying 172.20.244.140...
* TCP_NODELAY set
* Connected to my-service (172.20.244.140) port 443 (#0)
> OPTIONS / HTTP/1.1
> Host: my-service
> User-Agent: curl/7.61.0
> Accept: */*
> Origin: foo.com
> 
< HTTP/1.1 405 Method Not Allowed
< content-type: application/json; charset=UTF-8
< date: Tue, 30 Oct 2018 20:30:41 GMT
< content-length: 32
< x-envoy-upstream-service-time: 3
< server: my-service
< 
* Connection #0 to host my-service left intact
{"message":"Method Not Allowed"}

In this case my-service is a K8s service listening on 443 and sending to Envoy’s ingress listener, which has only one virtual_host defined with the CORS policy listed above. Any ideas as to what I might be missing here?